Ever have a TOO helpful service rep? (Discover card)

[Firethorn]

My bad - I managed to lose my card.  After looking for it a bit, I give up, report it lost.  4 days later, I have a new card to activate.

Ok fine, call the number punch in my info, get online with rep, REPEAT much of the same info, get card activated.

Turn down offers for credit protection - My old number is shut down, no unauthorized charges, etc...  Don't need it, not worth the money.
Then, yes, I know about my rewards balance (~$20, not worth doing anything with yet).  Pretty standard stuff, I know it's part of the script.

Then 'I'm sending you your password for online access via email so you can check your balance...'  I'm like 'No - I don't need it, I HAVE online access working just fine'.  Couldn't he see that I'd accessed the online site just yesterday?   Sure enough - my password shows up in my mailbox.  Password over unsecure email, now I have to change it again early.   

Should have written down his name and asked if sending passwords over email when not requested is standard procedure.

[Marnoot]

I don't like sites that even store your password in cleartext, much less email them. Someone gets into the database they've got all the passwords they want. I prefer the ones that store them as a hash, then if you forget your password you just supply a new one rather than them emailing you your old one.

[Firethorn]

I don't like sites that even store your password in cleartext, much less email them.

Too true.  I'm also irked that their system doesn't accept special characters as well, and have complained to them about that as well.

[Nick1911]

I don't like sites that even store your password in cleartext, much less email them. Someone gets into the database they've got all the passwords they want. I prefer the ones that store them as a hash, then if you forget your password you just supply a new one rather than them emailing you your old one.

Same here.  It's entirely too easy to slip an SQL injection into a page a get back the content of table "users".  I'd rather the column "password" contain "c17602cc6b0e24fd4bb05c6854590aa1" then "ThisIsMyPasswordOnEverythingIncludingBankOfAmerica1".

Even better, a SHA-1 or SHA-2 hash.

I once used a SHA-2 512-bit Rolling hash to secure a password to log into a pottery site for a class project.  My prof thought I was nuts.

[RevDisk]

Same here.  It's entirely too easy to slip an SQL injection into a page a get back the content of table "users".  I'd rather the column "password" contain "c17602cc6b0e24fd4bb05c6854590aa1" then "ThisIsMyPasswordOnEverythingIncludingBankOfAmerica1".

Even better, a SHA-1 or SHA-2 hash.

I once used a SHA-2 512-bit Rolling hash to secure a password to log into a pottery site for a class project.  My prof thought I was nuts.

Using SHA-512 instead of Whirlpool?  Your prof was right!


Edit:  Is it worth starting another thread to debate if using a rolling hash alleviates the need for using a salt?

[Firethorn]

Bah, you and your weak keys.

I use 2048 bit keys to protect my cooking recipes.   

[Nick1911]

Using SHA-512 instead of Whirlpool?  Your prof was right!

 

Edit:  Is it worth starting another thread to debate if using a rolling hash alleviates the need for using a salt?

Probably. :)