It’s been a while now since I originally made this post so it’s about time I made this a public post. A while back I had been following a company that was growing at a very fast rate, UniversityCribs.co.uk.
Given that I liked the idea of the website and knew that the majority of the staff while very good entrepreneurs would have had little technical security knowledge and I was working on building my own I thought I would have a look around.
Plain Text Password storage
Upon registering an account I was for some unknown reason immediately emailed my plain text password. For starters you just registered, why do you even need it emailed to you, do they expect you to forget it within the space of 1 minute?
They also send your password in plain text whenever you login, that means anybody on the same wifi can see your password with something like wireshark as the connection is not made over HTTPS.
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: universitycribs.co.uk action=reales_user_signin_form&signin_user=UnsecureCribs&signin_pass=unsecure
What they should be doing
Basic practice in software is to salt and hash passwords. that means your password is NEVER retrievable. The purpose of salting is to defeat a dictionary attack.
$salted_password = crypt($password, $salt)