Tuts+ Security Fail

Timing republished tutorial on nettuts+ http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

I’m reading the comment on that blog note

There are no words to express the amount of fail from the envato development team

PixelBin said

Enabled said
uhm… did someone mention ssl… 2 million years ago? Nevertheless guys, no need to be rude, all systems can be hacked, no matter how awesome they are, there will always be people who find ways around them!

As far as I’m concerned, no one blames them for the intrusion, it’s their decision to use a plain text password storage method that everyone is pissed about.

PixelBin is correct. No one is blaming them for getting hacked. It happens to the best of us. The issue is really the passwords not being encrypted.

This is the last time I’ll participate in this discussion. Envato knows they made a mistake. I’m going to wait to see how they handle it moving forward. Every company has it’s stumbling blocks. It’s how they respond and make changes going forward that defines who they are and the value of the company. I have high hopes that this will make them stronger. Time will tell.

Not having https on Envato sites is inexplicable in this day and age.

Envato response over the next week or two are going be key to how this will be remembered.

https all the pipes!

ursad said
Envato response over the next week or two are going be key to how this will be remembered. https all the pipes!

they’ve already said they couldn’t add https to the sites because of other issues it causes, I can’t find the thread atm though

as for plain text….. come on guys… I get things get hacked, it happens more than most people think but just leaving a wide open door…

on a side note… sucks to be amember

it takes a simple function call to encrypt the passwords and it’s unreversible. what the hell? use this: http://en.wikipedia.org/wiki/MD5 – i now have to think again of new passwords…. the second time. the first time was when you lost control of an account that hacked us all and bought his items from all of our accounts.

duotive said
it takes a simple function call to encrypt the passwords and it’s unreversible. what the hell? use this: http://en.wikipedia.org/wiki/MD5

You should not encrypt passwords only with MD5 function, it’s as bad as plaintext Instead you should hash them with salt to have unique stored key.

That’s a shame for envato to let the dev use that method for a so important website! And what it we don’t remember if we have an account there? :/

many times I asked if we can connect marketplace account with tuts network so we can pay for subscription with the money from the marketplace.

FORTUNATELY envato didn’t do this.

(when envato will make me pay for all the stupid jokes I’ve made that will be a fun day)

no hard feelings hopefully, you know I love you all.

twi said

duotive said
it takes a simple function call to encrypt the passwords and it’s unreversible. what the hell? use this: http://en.wikipedia.org/wiki/MD5

You should not encrypt passwords only with MD5 function, it’s as bad as plaintext Instead you should hash them with salt to have unique stored key.

That’s a shame for envato to let the dev use that method for a so important website! And what it we don’t remember if we have an account there? :/

I would do sha512 + salt.