[raganwald]

Blaming Hover.com is shooting the messenger. The problem here is that this is what customers want. As long as you ask Hover to compete for business in a race to the bottom of the "convenience" barrel, you are going to have this problem. If Hover stop doing this, someone else wil come along and take Hover's business by sending plaintext passwords around in email.

So.

You either live with it and do your business with someone who has decided to offer a "premium" service and has a business model catering to educated customers,

Or:

You look for the government to regulate the marketplace as a public good. We do this with things like the safety of cars, we've decided that the marketplace cannot be left to decide this for itself. We attempt to do this with things like the content and handling of food, we've decided that the marketplace cannot be left to decide this for itself.

Perhaps the security of your account is not important enough to impose regulation. Perhaps it is. But as long as it's left up to the marketplace, the existence of companies like Hover is inevitable, and waggling our fingers at them is not going to do anything except make us feel smarter than the average bear.

[mquander]

It's not what customers want! Customers don't have a clue. They trust the provider to look out for their interests, since they are not experts. Customers don't understand that receiving a password instead of a reset link means that someone else can take their password. Customers don't know that probably any technical 16-year-old who doesn't like them (or any Hover employee) can figure out a way to break into Hover.com and steal their account. Hover is taking advantage of their knowledge to exploit the ignorance of customers.

I agree that we probably can't stop them from doing it short of government regulation, but that doesn't mean it's not a fucked-up thing to do.

[gregory80]

Second! Customers do not want insecurity. That's like saying people want bank vaults with glass walls. It's ridiculous on its face.

[tectonic]

Agreed, it's not what someone wants if they're fully educated about the trade offs.

[tptacek]

Trenchant, but ultimately orthogonal.

The Big Problem here isn't that Hover has decided that user convenience warrants storing passwords insecurely. That is a problem, of course, but it is not as big a problem as The Big Problem here.

The Big Problem is the grafs spent defending the soundness of Hover's password storage strategy. Hover does not appear to understand that they have conceded user security. They believe that a combination of their network security and physical security† mitigates these flaws. If you're going to sell out user security to minimize customer support costs, I'd at least like to know that you know that's what you're doing.

That Hover does not appear to know what they are doing suggests that there is much more badness to be had in their systems, which is a problem that will burn them much more painfully than password hashes.

† Notably, not application security --- no external auditor would let "user passwords appear in plaintext in a database column" slide.

[raganwald]

I see were going to argue about whether to ascribe to malice, that which can be explained by stupidity. I'm going to go against the aphorism and say "malice." I suspect they know exactly what they're doing, and they also know that their strategy of "security be damned, let's sell some more domain names" requires a plausible explanation of security, thus they come out and tell us something that you and I know to be false.

But the audience for this blatant nonsense are the people who want Hover.com to mail their password to them, so they think they can get away with telling us that "a combination of their network security and physical security† mitigates these flaws." You know this to be false, I know it to be false, and I suggest they know it as well.

[tptacek]

I think it's slightly more likely that they think it might be true, and they want it to be true, so they're going to be incurious. Either way, my only real point is: there's probably going to be SQLI somewhere in that app too. And if they take file uploads anywhere, my guess is you'll be able to run code remotely.

(I know neither of these things to be true for a fact and am just making a rhetorical point.)

[geon]

> They believe that a combination of their network security and physical security† mitigates these flaws.

That is not how I read it. You could argue the other way:

If they have to send password reset URL:s anyway, they can just as well send the password itself.

That makes sense. It's just that by storing the passwords at all, you risk losing them if someone gains access to your database.

[pavpanchekha]

The URLs are usually time-linked, one-time, and service-specific, as opposed to the password, which 1) is permanent, 2) can be used without the user knowing, and 3) is likely to be used on other services as well.

[eru]

Also a legitimate user will notice when somebody resets their password, because their old password won't work any more.

[sbierwagen]

You appear to not understand how password hashing works. A well designed hashing function is one-way, it cannot practically be reversed. With a large salt, even very weak passwords ("cat") cannot be reversed.

https://secure.wikimedia.org/wikipedia/en/wiki/Password_hash...

[Dylan16807]

Salts only protect against rainbow tables. If you want to stop brute forcing you need a very slow hash like bcrypt.

And you'll still be able to brute force "cat" in under a day.

[tptacek]

Not only that, but the size of the "salt" has nothing to do with how long it takes to brute force a password. We should stop saying "salt" and start saying "randomizer" so at least people understand what that thing is doing; I think everyone understands intuitively that a hash can be "randomized enough" so that further randomization isn't a win.

[frossie]

The problem here is that this is what customers want

And I want a pony, they gonna give me that too?

A business transaction is a negotiation between seller and client. You don't always have to give them what they want, and if you are good enough, people won't leave you over that one thing.

If you are going to only use sites that store your password in plaintext because it is so damn convenient, you are not going to have much Internet left.

[raganwald]

You know this and I know this, but the way the marketplace works is that if nobody intervenes, people buy food that kills them, cribs that kill their babies, pajamas that catch on fire and stick burning plastic to their skin, and so forth.

So we draw a line somewhere and say that those products and services over there, caveat emptor. These over here, OTOH, must have a minimum standard of safety.

I am personally not convinced that domain registration should be left up to the marketplace. What if someone gets a user's password and then redirects their web addresses to a site that dispenses malware?

The victims in this case aren't even the domain registrar's customers, they're people who had absolutely no say in the question.

But any ways, I wasn't really trying to suggest we regulate it so much as suggest that laughing at Hover.com is looking in the wrong direction. There is a large social problem isomorphic to the "disable your security software if you want to see a video of dancing babies" problem. That problem is far more interesting and important than the "greedy businesspeople are greedy" problem.

[Flenser]

I want a pony

http://i-want-a-pony.com/

[freddealmeida]

whoa! I think this may be the first request for a pony on HN.

[StavrosK]

I disagree. All they did (edit: to clarify, it seems to me that they only tried two alternatives) was try sending a password reset link and the unencrypted password itself. I don't think sending the user a new password would be that big a deal (we're assuming they receive the email, as both methods will fail if not), and you could show them the password reset page immediately after they logged in with the new password.

Win/win.

[raganwald]

If the password reset function sends a temporary password just as you say, THEN it is not that big a deal. On the other hand, if they are storing every user's original password in such a way that they send the user their existing password...

I believe this is the scenario most people here think is happening.

[StavrosK]

Oh, I'm sure it is. I'm saying that they should send a temporary password instead.

[estel]

Even if you accept that this isn't wrong because it's what customers want; if it's broadly unknown (by this community) it becomes newsworthy because HN would probably not want to think of itself as at the bottom of the barrel, and will be more than willing to move away from a host that shows such a flagrant disregard for security.

[raganwald]

It isn't wrong in exactly the same way that selling cigarettes isn't wrong. I'm not saying it isn't noteworthy, just that like the tobacco problem, we shouldn't fall victim to thinking that Hover.com's choices are the only problem.

[balloot]

What a horribly wrong comment.

First off, nobody chooses their domain registrar because it provides plain text lost passwords instead of something more secure. That is such a silly claim that I would hope you don't actually believe it. However, people will certainly leave a domain registrar based on an insecure password policy. This is especially true of the people who frequent domain registrar services.

Second, you claim the market is failing. It's doing exactly the opposite. You are commenting on a widely read post with hundreds of comments and many thousands of views that is in the process of putting a black mark on this stupid company as we speak. They will get a nontrivial number of emails and cancellations referring to this post, and I guarantee they change their policy within the month. This is exactly how the market is supposed to work.

[city41]

I find it very interesting that a domain registrar has a customer base demanding this. In my anecdotal experience domain registrar customers do vary a bit in their technical knowledge, but overall are above average.

As for being what the customers want, not this customer. I'll definitely never become their customer if they are this insecure.