[dutchbrit]

My email to Envato:

I seriously can't understand how Envato found it responsible to even implement something that saves plaintext passwords. You must of known when inplementing it. If this "3rd party" plugin was so important, then implement the plugin later on when it is secure - you don't fuck around with private details. If it was important for the initial release, you shouldn't of launched until this was sorted.

You have hereby lost a customer. I now have to reset my password on a ton of forums and probably also themeforest. I will give you some other feedback. Maybe I'm blind but to login on Nettuts, don't make users have to scroll and look for a dinky login text.

On ThemeForest, seriously remove the fucking Captcha from the login form. Sorry for my French but seriously, on a contact or registration form, I could understand why. If you are afraid of brute force, there are other great ways to do so.

Fail, Sam Granger

Ps. You should read your own tutorials on security, they aren't too bad.

[tedivm]

Why would you have to change your password on "a ton of forums" if you yourself have been using password best practices? Envato was responsible in their disclosure- you think those "tons" of forums are all going to do the same? For all you know your password has been in the wild for years.

You should use this as an opportunity to get a password manager (Lastpass, for instance) and use unique passwords for each site.

[dutchbrit]

I agree that it's my fault not having a unique password for Envato, I do have unique passwords for most important things, but to have unique weird passwords for everything is too much for me, especially since I'm switching computers all the time, it'd be quite a hassle each time. Especially since I log into a lot of less important sites with this password. If it was a salted and encrypted, I wouldn't bother changing them. But seriously, plaintext. It's the biggest cockup I can imagine. Some may argue, but you can also keep passwords on your phone or online, you're correct, but what if my pass phrase gets hacked to all my unique passwords? How do I know that these services are waterproof? It's not the most secure way of storing passwords either to be honest, but they don't have any other way. It has to be decryptable. In the end, nothing is waterproof.

[tedivm]

Sure, nothing is water proof. However, some solutions are better than others- and as a lastpass user I know I don't have to change my password on "a ton of forums".

[sdiwakar]

I think its wrong that you are espousing password security, when you have not taken the required steps to secure your own accounts across "a ton of forums"?

Security in the real world is hard. I worked as a penetration tester, so I have some authority to say so.

For most startups getting users is a priority and everyone is prone to taking shortcuts (clearly including YOU - sharing passwords across forums); incidents like this are common place in the business world and the fact that Envato had the balls to own up is kudos to them.