Comments on: SECURITY FAIL: Workamajig.com encourages users to email cleartext passwords http://maymay.net/blog/2008/10/22/security-fail-workamajigcom-encourages-users-to-email-cleartext-passwords/ The brutally honest, first-person account of Meitar Moscovitz's life. Mon, 21 May 2012 09:39:33 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Mark Klein http://maymay.net/blog/2008/10/22/security-fail-workamajigcom-encourages-users-to-email-cleartext-passwords/comment-page-1/#comment-175267 Mark Klein Tue, 20 Oct 2009 12:30:54 +0000 http://maymay.net/blog/?p=711#comment-175267 Well on the bright side, even if someone does break in, the information will probably be incorrect... http://www.youtube.com/watch?v=hSl_c5kXUSk Well on the bright side, even if someone does break in, the information will probably be incorrect…

http://www.youtube.com/watch?v=hSl_c5kXUSk

]]> By: ReaderX http://maymay.net/blog/2008/10/22/security-fail-workamajigcom-encourages-users-to-email-cleartext-passwords/comment-page-1/#comment-171275 ReaderX Wed, 23 Sep 2009 22:19:15 +0000 http://maymay.net/blog/?p=711#comment-171275 @Andrew Dushie - Options are a Good Thing(tm). I don't think you're characterizing these ones particularly well. May I suggest: Opt to encrypt passwords to keep your business secure from bungling by technically incompetent staff; or Opt to leave the front door to your offices open overnight with a sign that reads "Welcome, please steal our data because we don't value it." Glib? Nah. Blunt. Decisionmakers must understand the context of security choices and the consequences of those decisions. Default choices should be sane ones (i.e., encrypted). @Andrew Dushie – Options are a Good Thing(tm). I don’t think you’re characterizing these ones particularly well. May I suggest: Opt to encrypt passwords to keep your business secure from bungling by technically incompetent staff; or Opt to leave the front door to your offices open overnight with a sign that reads “Welcome, please steal our data because we don’t value it.”

Glib? Nah. Blunt. Decisionmakers must understand the context of security choices and the consequences of those decisions.

Default choices should be sane ones (i.e., encrypted).

]]> By: Meitar http://maymay.net/blog/2008/10/22/security-fail-workamajigcom-encourages-users-to-email-cleartext-passwords/comment-page-1/#comment-135299 Meitar Sat, 08 Nov 2008 04:07:16 +0000 http://maymay.net/blog/?p=711#comment-135299 <blockquote>They probably do store passwords unencrypted, since if you click “Trouble Logging In” and request your password, they do actually send it to you rather than send you a reset link.</blockquote> That seems like a huge, fundamental mistake to me. Workamajig's product is a much more "mission-critical" piece of software than, say, a blogging tool like WordPress for most businesses and yet not even WordPress will send you your password when you forget it anymore. It sends you a reset link instead now, as it should. The security-versus–convenience argument is a classic one, no doubt, yet if people who write blog software can make security a priority so can a company like Workamajig. If I were a small-business owner, I'd feel much better about using a product with one-factor authentication if that factor was stronger than a password that the tool emailed in plaintext when (not <em>if</em>) my employees forget theirs.

They probably do store passwords unencrypted, since if you click “Trouble Logging In” and request your password, they do actually send it to you rather than send you a reset link.

That seems like a huge, fundamental mistake to me. Workamajig’s product is a much more “mission-critical” piece of software than, say, a blogging tool like WordPress for most businesses and yet not even WordPress will send you your password when you forget it anymore. It sends you a reset link instead now, as it should.

The security-versus–convenience argument is a classic one, no doubt, yet if people who write blog software can make security a priority so can a company like Workamajig. If I were a small-business owner, I’d feel much better about using a product with one-factor authentication if that factor was stronger than a password that the tool emailed in plaintext when (not if) my employees forget theirs.

]]> By: Andrew Duthie http://maymay.net/blog/2008/10/22/security-fail-workamajigcom-encourages-users-to-email-cleartext-passwords/comment-page-1/#comment-134326 Andrew Duthie Fri, 24 Oct 2008 20:50:57 +0000 http://maymay.net/blog/?p=711#comment-134326 Interesting. I've not come across any login errors with Workamajig. Not surprised that the "please send this" part is part of standard error processing. They probably do store passwords unencrypted, since if you click "Trouble Logging In" and request your password, they do actually send it to you rather than send you a reset link. A fix for that would be to make it optional for the administrator: opt to encrypt passwords and your staff will have more trouble when they forget; opt to unencrypt them to save hassles but have somewhat weaker security. (Or better yet, make it tougher for passwords on administrative accounts but easier for passwords on accounts with less access to information in the system.) Interesting. I’ve not come across any login errors with Workamajig. Not surprised that the “please send this” part is part of standard error processing. They probably do store passwords unencrypted, since if you click “Trouble Logging In” and request your password, they do actually send it to you rather than send you a reset link. A fix for that would be to make it optional for the administrator: opt to encrypt passwords and your staff will have more trouble when they forget; opt to unencrypt them to save hassles but have somewhat weaker security. (Or better yet, make it tougher for passwords on administrative accounts but easier for passwords on accounts with less access to information in the system.)

]]>