| Constant Emails From POF With Password In It...
Posted: 7/3/2009 10:12:19 AM | What genius at POF decided that users should get a weekly email of "new matches" that also includes my password in it?
I didn't request my password so it seems pretty moronic to send out unsecured emails with passwords when it wasn't even requested.
Not only that... you can't stop the emails:
"Unfortunately you cannot stop the latest matches emails usually sent out on Mondays"
I've emailed support over and over about this and never hear back.
Lets be a little smarter POF admins... and respond to your emails. | |
|
| |
| Constant Emails From POF With Password In It...
Posted: 7/3/2009 10:34:25 AM |
What genius at POF decided that users should get a weekly email of "new matches" that also includes my password in it?
That would be the owner.
I didn't request my password so it seems pretty moronic to send out unsecured emails with passwords when it wasn't even requested.
Although you did not request it you agreed to it when you signed up for POF.
Now what is moronic is spouting off without doing a thread search 1st.
http://www.plentyoffish.com/faq.aspx
I Do Not Want Any More Email Notifications
You can stop message notifications (sent out when you get a message) in Mail Settings on plentyoffish.com. Unfortunately you cannot stop the latest matches emails usually sent out on Mondays - if these are a problem we'll remove your account upon request. | |
|
| Constant Emails From POF With Password In It...
Posted: 7/3/2009 1:43:10 PM | I don't want the email notifications to stop, I want them to stop putting my password in the email.
I think its pretty logical that you shouldn't be sending out people's passwords unless people requested them. | |
|
| Constant Emails From POF With Password In It...
Posted: 7/3/2009 2:40:52 PM | Basic rule in computer security:
Never send anything in an email, that you wouldn't put on a postcard
In this case - I would make sure your password is a non-secure password. With so many sites asking for passwords, I keep four levels. The highest is for where the money is, the second highest for where I get money from - CC, etc. the third is for sites that I really would rather have people not get into, but wouldn't cost me anything. The lowest level is for POF and other sites that have poor security policies, newspapers, and sites where they force me to log in, but I really don't care.
It is good to be safe. | |
|
| Constant Emails From POF With Password In It...
Posted: 7/3/2009 9:51:32 PM | "Although you did not request it you agreed to it when you signed up for POF.
Now what is moronic is spouting off without doing a thread search 1st."
I did agree to getting the emails, but can you point to me where in the FAQ does it say "you're going to get these emails AND we're going to do something really smart by including your password in every email even though you don't need it and didn't ask for it."
So no, I was not agreeing to having my password sent to me every email.
It's clearly a bad policy to send out passwords unprompted like this, but then, maybe you have trouble remembering your password. | |
|
| Constant Emails From POF With Password In It...
Posted: 7/4/2009 1:59:41 AM | The fact that POF can send you your password at all is worrying.
Generally, when you submit your password to a website it is then subject to md5, sha1 or similar hashing. This takes your plain text password and converts it to a longer, unreadable, string. There is no way to work back from a hashed password to the original. Each time you enter your password, it should be hashed again and the hashed value is compared against the database.
The website you are submitting to shouldn't hold the original password that you provided anywhere. It's why most sites ask you to reset your password rather than telling you what it is (they don't know what it is). There is no reason POF couldn't do this. It's basic website security 101 type stuff. | |
|
- don
|
Joined: 4/23/2009
Msg: 8 | |
| Passwords in Email
Posted: 7/4/2009 3:46:15 AM | You are not on a site that requires high security.
Don't use your banking or other important password as your PoF password and you should be alright.
What about your email acct.? Do you use https?
If not, you're sending your email password unencrypted over the net every time you log on. | |
|
- don
|
Joined: 4/23/2009
Msg: 9 | |
| Passwords in Email
Posted: 7/4/2009 4:12:52 AM |
Generally, when you submit your password to a website it is then subject to md5, sha1 or similar hashing. This takes your plain text password and converts it to a longer, unreadable, string. There is no way to work back from a hashed password to the original. Each time you enter your password, it should be hashed again and the hashed value is compared against the database.
Are you sure? 
__________________________
insecure.org
Top 10 Password Crackers
#1
Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.
#2
John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here.
#3
THC Hydra : A Fast network authentication cracker which supports many different services
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.
#4
Aircrack : The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
#5
L0phtcrack : Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as LC6 in 2009. For free alternatives, consider Ophcrack, Cain and Abel, or John the Ripper.
#6
Airsnort : 802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. You may also be interested in the similar Aircrack.
#7
SolarWinds : A plethora of network discovery/monitoring/attack tools
SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.
#8
Pwdump : A window password recovery tool
Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file.
#9
RainbowCrack : An Innovative Password Hash Cracker
The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the cracking-time computation in advance and store the results in so-called "rainbow tables". It does take a long time to precompute the tables but RainbowCrack can be hundreds of times faster than a brute force cracker once the precomputation is finished.
#10
Brutus : A network brute-force authentication cracker
This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC Hydra.
 | |
|
| Passwords in Email
Posted: 7/4/2009 8:47:18 AM | | Yes, very sure. All of those work by starting with a plain text password and trying to match the encrypted version. ie working forwards. It's going the other way that's the problem. | |
|
| Passwords in Email
Posted: 7/4/2009 9:02:00 AM | I don't understand why some of you people are rationalizing an idiotic policy.
So far we have:
"Although you did not request it you agreed to it when you signed up for POF."
Which was just wrong and stupid.
and now, "You are not on a site that requires high security."
Which is just stupid.
A password is a password... if you don't think this site requires high security, I guess you wouldn't mind posting your password for all to see so we can check out who you've been emailing, what you've been saying to other people. | |
|
| Passwords in Email
Posted: 7/4/2009 9:12:51 AM | Try using the search tool next time. This thread should be deleted for redundancy
http://forums.plentyoffish.com/datingPosts3904613.aspx
That thread has like 60 posts and started like 3 or 4 years ago. The owner of the site posted his thoughts in there.
I think its safe to assume he isnt going to change his mind.
Worry about protecting your own email account. If its hacked this sites password (which holds none of your personal data, not even your friggin name) then this sites password is the very least of your problems. Worry about protecting your own email account and computer is your best bet.
I use an email filter and those emails go straight to the trash and I never see them. Thats your best option. I am an IT guy so yes I understand password security. Yes I agree it would be better to have a link to request a lost password at the very least!
I also have been on here for years and know the Admin here owns this site and does whatever he pleases and no amount of whining about him sending your password will matter one teeny bit. Witness by that 4 yearol thread I linked with like different people whining about this. Has not helped in 4 years. This thread wont matter either.
Cowboy | |
|
| Passwords in Email
Posted: 7/4/2009 9:13:36 AM |
I don't understand why some of you people are rationalizing an idiotic policy.
OP this is why a thread search once again would have solved all of your problems.
Then you would have seen this topic has been done to death.
So now that you know it is not going to change and no one is forcing you to put up with it I give you this once again...
You can stop message notifications (sent out when you get a message) in Mail Settings on plentyoffish.com. Unfortunately you cannot stop the latest matches emails usually sent out on Mondays - if these are a problem we'll remove your account upon request. | |
|
- don
|
Joined: 4/23/2009
Msg: 14 | |
| Constant Emails From POF With Password In It...
Posted: 7/4/2009 9:21:07 AM |
The fact that POF can send you your password at all is worrying.
Generally, when you submit your password to a website it is then subject to md5, sha1 or similar hashing. This takes your plain text password and converts it to a longer, unreadable, string. There is no way to work back from a hashed password to the original. Each time you enter your password, it should be hashed again and the hashed value is compared against the database.
The website you are submitting to shouldn't hold the original password that you provided anywhere. It's why most sites ask you to reset your password rather than telling you what it is (they don't know what it is). There is no reason POF couldn't do this. It's basic website security 101 type stuff.
Yes, very sure. All of those work by starting with a plain text password and trying to match the encrypted version. ie working forwards. It's going the other way that's the problem.
Dude...
You are wrong about what you said and are looking for a smooth way out by playing word games, nice try.
Your md5s & sha1s are not as secure as you think.
Hope that doesn't make you feel too uncomfortable.
http://en.wikipedia.org/wiki/Password_cracking#Salting
Salting
Salt (cryptography)
The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. However, if the salt is long enough, there are too many possibilities and the attacker must repeat the encryption of every guess for each user. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits respectively.[10]
| |
|
| Passwords in Email
Posted: 7/4/2009 9:26:22 AM | "Then you would have seen this topic has been done to death."
Wow, there's another great argument... it's been done to death. Hmm, so the fact that it's been done to death means its not a problem that should be fixed. It's been done to death, so we should just sit back and not voice our concern. Way to have an innovative mind there... I'm sure that type of mentality is what fuels progress. "Ehhh, its already be talked about, guess we can't do anything about it. I'll just sit back and do nothing" Genius.
Actually, the fact that it has been done to death clearly means it SHOULD be fixed and people SHOULD keep complaining.
"So now that you know it is not going to change and no one is forcing you to put up with it"
Just like nobody is forcing you to read or respond to the thread. If you don't like the topic or whats being said, move on to the next thread. | |
|
- don
|
Joined: 4/23/2009
Msg: 16 | |
| Site Security
Posted: 7/4/2009 9:34:15 AM |
and now, "You are not on a site that requires high security."
Which is just stupid.
A password is a password... if you don't think this site requires high security, I guess you wouldn't mind posting your password for all to see so we can check out who you've been emailing, what you've been saying to other people.
If someone wanted to break into your PoF account or email account, it wouldn't be difficult.
You are using a free account, are you worried someone might find out your zip code or read your messages?
If you think the internet is a secure place, you were misinformed or 'just stupid'
Quit the password hissy-fit and remove your account or accept that you are sending your username & password unencrypted over the net every time you log on (like many other websites)
& They send your password via email 
(maybe you should check your email security & complain to them) | |
|
| Site Security
Posted: 7/4/2009 9:44:43 AM | Once again we have a limited mind making comments along the lines of "that's the way it is, live with it." Way to innovate.
Yes, I realize this is a free site and my expectations are appropriately low. That doesn't mean common sense shouldn't prevail. | |
|
- don
|
Joined: 4/23/2009
Msg: 18 | |
| Site Security
Posted: 7/4/2009 9:51:24 AM | Yeah, it would be nice to have your password 'more difficult to read' and log on with 'https' but take time & resources.
Its Free,
If you don't want it, don't take it
PoF is stubborn ,They have their 'cookie cutter' for making money and will not change.
I do like being able to use the service and I think the benefits outweigh the drawbacks so I will continue using it.
___________________________________________________________________________________________________________
& pay attention to the other sites you log into, I think you will find the majority of them are not so secure
(see the address bar & look for 'https' and even then it may not be secure as you think) | |
|
| Site Security
Posted: 7/4/2009 9:59:50 AM | "but these things take time & resources"
I'm asking one simple change, stop sending my password in emails to me when I didn't request it. In coding terms, that's a less than 1 minute fix. I'm sure they have a script that sends out the email with a [PASSWORD] variable. Remove that. Done. | |
|
- don
|
Joined: 4/23/2009
Msg: 20 | |
| Site Security
Posted: 7/4/2009 10:18:35 AM | What will the old people do when they forget their password?
or
The people who can't keep up with all of their passwords?
I like to get my password in my email, I have so many passwords I use a book to keep them in b/c there is no way to remember them all.
I don't see the harm in sending my password to my email, I don't think anyone cares enough to break into my email acct. to see my PoF password
(My email has a good password )
_______________________________________________________________
I understand where you are coming from,
if it was my site I might send it bi-weekly ;)
Yeah, they could remove it easily and we've asked but they won't change | |
|
| Site Security
Posted: 7/4/2009 10:32:15 AM | I'm not suggesting not having a "forgot my password" option. That's normal. The email they send out is just a general email going out to every POF user, none of which likely asked for their password.
What other website sends your password out once a week regardless of whether you need it or not? None that I know of. | |
|
- don
|
Joined: 4/23/2009
Msg: 22 | |
| Site Security
Posted: 7/4/2009 11:59:08 AM | Okay, I'm done rationalizing on PoF's behalf.
I agree that we should have the ability to choose whether we have our password sent via email weekly & if there are any programmers out there who are willing to write something up I would be grateful.
I suggested a open source chat a week or two ago and it was shot down by an admin but maybe editing the email options is likely to happen if someone gives them the code/script (I'm not a web designer or programmer)
Or,
Maybe PoF needs some competition and if someone has the resources & ability to make another fish pond for us to swim in (potentially make a lot of money through ads)
Unsatisfied Customers = Business Opportunity
Any Takers??? My plate is currently full but I'm free to swim
 | |
|
| Constant Emails From POF With Password In It...
Posted: 7/4/2009 2:44:23 PM | I can live with it.
I was simply clarifying my explanation. As I am sure you are aware, a lot of encryption algorithms can be used to encrypt and decrypt (take DES for an example). I was just trying to say that md5 only goes one way. Because you don't get a 1 to 1 relationship between the plain text and hashed values, you can't directly decrypt again. Of course, you can use a variety of methods to attack pretty much any password system, no system is completely without weakness.
Either way, some encryption is better than none, but I agree it wouldn't be the end of the world if someone hacked my POF account. They might even have more luck than me ;) | |
|
| Constant Emails From POF With Password In It...
Posted: 7/4/2009 4:56:52 PM | I'm not suggesting not having a "forgot my password" option. That's normal. The email they send out is just a general email going out to every POF user, none of which likely asked for their password.
What other website sends your password out once a week regardless of whether you need it or not? None that I know of.
So if the fix is so simple then why do you think it is not done because the owner does not know what he is doing?
Why wouldn't you conclude that there must be some reason why the site does this?
I would say the owner of this site has a pretty good idea at what he is doing, so therefore there must be a reason why it is done like this. | |
|
| Constant Emails From POF With Password In It...
Posted: 7/5/2009 9:34:48 AM | "I would say the owner of this site has a pretty good idea at what he is doing, so therefore there must be a reason why it is done like this."
Man, this guys a friggin genius.
So, let me get this straight... because a company decides "this is how we want to do something, so this is how we're going to do it... screw what the people want" and it involves other peoples personal information it's ok for them to do it? Personal security or information be damned!
Nice mentality. Join the rest of the sheep. | |
|
Home
login 
