{"id":1182,"date":"2009-01-26T11:59:27","date_gmt":"2009-01-26T10:59:27","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/1182-why-are-web-sites-still-storing-passwords-monster-usajobs-blunder-highlights-the-risks.html"},"modified":"2009-01-26T11:59:27","modified_gmt":"2009-01-26T10:59:27","slug":"why-are-web-sites-still-storing-passwords-monster-usajobs-blunder-highlights-the-risks","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/1182-why-are-web-sites-still-storing-passwords-monster-usajobs-blunder-highlights-the-risks.html","title":{"rendered":"Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks"},"content":{"rendered":"<p>Sophos informs us that job sites Monster and USAJobs (an official US Job site) <a href=\"http:\/\/www.sophos.com\/blogs\/gc\/g\/2009\/01\/24\/security-alert-monstercom-usajobs-users\/\" target=\"_blank\">have been hacked<\/a>. Messages on Monster and USAJobs confirm this. I\u2019d like to draw attention to the fact that passwords were stolen:<\/p>\n<blockquote>\n<p>We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords.<\/p>\n<\/blockquote>\n<p><a href=\"http:\/\/help.monster.com\/besafe\/jobseeker\/index.asp\" target=\"_blank\">says Monster<\/a>. And <a href=\"http:\/\/www.usajobs.gov\/securityNotice.asp\" target=\"_blank\">USAJobs says<\/a>:<\/p>\n<blockquote>\n<p>We recently learned that the Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.<\/p>\n<\/blockquote>\n<p>Same wording \u2013 because Monster is the \u201ctechnology provider\u201d for USAJobs.<\/p>\n<p>Sophos observes:<\/p>\n<blockquote>\n<p>There is even more potential for danger, however, because passwords have been stolen. We know that <a href=\"http:\/\/www.sophos.com\/pressoffice\/news\/articles\/2006\/04\/passpoll06.html\">too many people use the same password<\/a> for every website that they access.<\/p>\n<\/blockquote>\n<p>Right. But why is Monster even storing passwords? It is not necessary. All you need store is a one-way password hash, so the site can verify a password without recording it. This is easily done in every web platform out there.<\/p>\n<p>There is a disadvantage. It means the site cannot email your lost password. Instead, it must reset your password. Since email passes in plain text, emailing passwords is a bad idea anyway, and I hate to see sites doing this; it\u2019s a useful alert though that the site places a low value on security.<\/p>\n<p>Any site can get hacked, but what isn\u2019t stored can\u2019t be stolen.<\/p>\n<p>Technical blunders like this can be costly; there\u2019s no excuse for it that I can think of.<\/p>\n<div class=\"wlWriterEditableSmartContent\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:e69a87d9-38ba-45f0-bce0-41059a4be10d\" style=\"padding-right: 0px; display: inline; padding-left: 0px; float: none; padding-bottom: 0px; margin: 0px; padding-top: 0px\">Technorati tags: <a href=\"http:\/\/technorati.com\/tags\/monster\" rel=\"tag\">monster<\/a>, <a href=\"http:\/\/technorati.com\/tags\/usajobs\" rel=\"tag\">usajobs<\/a>, <a href=\"http:\/\/technorati.com\/tags\/sophos\" rel=\"tag\">sophos<\/a>, <a href=\"http:\/\/technorati.com\/tags\/security\" rel=\"tag\">security<\/a>, <a href=\"http:\/\/technorati.com\/tags\/passwords\" rel=\"tag\">passwords<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Sophos informs us that job sites Monster and USAJobs (an official US Job site) have been hacked. Messages on Monster and USAJobs confirm this. I\u2019d like to draw attention to the fact that passwords were stolen: We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user &hellip; <a href=\"https:\/\/www.itwriting.com\/blog\/1182-why-are-web-sites-still-storing-passwords-monster-usajobs-blunder-highlights-the-risks.html\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[75,80,96],"tags":[],"class_list":["post-1182","post","type-post","status-publish","format-standard","hentry","category-security","category-software-development","category-web-authoring"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/1182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=1182"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/1182\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=1182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=1182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=1182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}