Storing passwords in Ozon.ru

About two weeks ago on Habré, password cracking on LinkedIn was discussed. Type, the encryption algorithm is old, salt is not used, etc. This is all the little things.

I decided to remember the password from my account on Ozone (I haven’t been there for a long time, about two years). In the appropriate form, made your email and here is what I received:


')

Hello <my name>!

You are registered in the online store OZON.ru!

Your login: <my login>
Your password: <my old password that I really used>

You can always change your password in the “My OZON” section.

Valid password sent in clear text! This means one of two things:

1. Passwords in Ozone are stored in the database unencrypted
2. The "left" encryption algorithm is used (without using hashes), which allows you to recover the password knowing the algorithm itself and the encrypted password.

Not believing my eyes, I wrote an email to Ozone tech support with a description of the problem. In response, I received this:

Good afternoon, <my name>!

You can independently receive your password and login at any time.

To do this, just go to the page www.ozon.ru/?context=forgotpassword and in the form "Forgot your password?" Enter your E-mail.

Login and password will be automatically sent to your email address.

Information about logins and passwords is sent at the request of each client individually.

This information is strictly confidential.

Hope for your understanding.

Sincerely, <name of Ozone employee>
Customer Service Specialist
Online megamarket №1 OZON.ru
www.ozon.ru

Actually, nothing more to add.