List of sites that store cleartext passwords
This is hard to believe, but about 30% of sites keep their users' passwords in an unprotected form. If someone penetrates them into the system, then all passwords will be in front of them in clear text.
Advanced users should be hurt if they generate and remember 15-character passwords that are stored in this way.
As you know, many people tend to use the same passwords for different services. If a data leak occurred in one place, then this password can go to his mailbox and to the online banking service.
The authors of the “black list” Plain Text Offenders are sure that only web censure can deal with such carelessness of web developers. This resource publishes daily websites that may store passwords in the clear.
')
If you yourself have discovered such an unsightly site - send a screenshot with proof (for example, a letter from them with a password in clear form), and it will be added to the list.
In fact, if the service sends you an email with your password, it does not necessarily mean that they store them in clear text. But, first, the transfer of such secret information in open form through open networks is in itself worthy of censure.
Secondly, if the service sends passwords by mail in clear text, it means that somewhere on the servers they are also stored at least temporarily in clear text. It is also possible that there are backups or a mail archive where this data is permanently stored. That is, even if they hash passwords, but storing such a mail archive eliminates all protective measures.
Another "black list" of sites that store passwords in clear form, is here . There you can also find the PasswordFail extension for Chrome, which will let you know if you have visited a site from the list.
For reliable password protection it is recommended to use only bcrypt . The fact is that on a modern CUDA number processor, you can build a relatively inexpensive cluster that will not only earn bitcoin for 10–20 dollars a day , but also sort out up to 700 million hashes per second , so a normal hash like MD5 or SHA1 cannot be considered reliable protection.
Advanced users should be hurt if they generate and remember 15-character passwords that are stored in this way.
As you know, many people tend to use the same passwords for different services. If a data leak occurred in one place, then this password can go to his mailbox and to the online banking service.
The authors of the “black list” Plain Text Offenders are sure that only web censure can deal with such carelessness of web developers. This resource publishes daily websites that may store passwords in the clear.
')
If you yourself have discovered such an unsightly site - send a screenshot with proof (for example, a letter from them with a password in clear form), and it will be added to the list.
In fact, if the service sends you an email with your password, it does not necessarily mean that they store them in clear text. But, first, the transfer of such secret information in open form through open networks is in itself worthy of censure.
Secondly, if the service sends passwords by mail in clear text, it means that somewhere on the servers they are also stored at least temporarily in clear text. It is also possible that there are backups or a mail archive where this data is permanently stored. That is, even if they hash passwords, but storing such a mail archive eliminates all protective measures.
Another "black list" of sites that store passwords in clear form, is here . There you can also find the PasswordFail extension for Chrome, which will let you know if you have visited a site from the list.
For reliable password protection it is recommended to use only bcrypt . The fact is that on a modern CUDA number processor, you can build a relatively inexpensive cluster that will not only earn bitcoin for 10–20 dollars a day , but also sort out up to 700 million hashes per second , so a normal hash like MD5 or SHA1 cannot be considered reliable protection.
Source: https://habr.com/ru/post/117005/
All Articles