Thursday, August 4, 2011

Hall of shame: Mediafire

Let's see:
You have a nice "password strength" meter, but once one submits the form, it repeats back the password in the clear, complains that its too long, and can't have any "special" characters.

Why would that matter, since the password hash would be the same regardless of length? You are securely hashing the passwords, and not storing them in the database as plain-text, right? Right?

Also, can you tell me exactly what the difference is between a special character and a non-special one?  Is it "special" when it causes a SQL Injection vulnerability (which of course you would defense against by properly escaping database inputs), when storing it in the password in plain-text (which of course you don't do) ?

BTW: I don't think I will be trusting you with access to my Facebook account just yet. Hope you don't mind.

I have proof that they store password "in the clear": The password test is case-insensitive!
You can try this out yourself:
If your password is "joshua", you can log in using "JOSHUA" or "JoSHuA".    This is only possible if the site doesn't use any password hashing at all.   Security 101 FAIL!