Theme

Forums → VOIP etc → VOIP →

VOIP Tech Chat → Re: BULKVS.COM emails the account password to the user

uniqs
1

« Flowroute changes direction on E911 fees • Obi200 alternative »

This is a sub-selection from BULKVS.COM emails the account password to the user

druber join:2000-04-11 Stow, MA	druber to crazyk4952 Member 2022-Feb-2 10:19 am to crazyk4952 Re: BULKVS.COM emails the account password to the user "If a provider is emailing you a password, it means that they store it in plaintext. This means that if their database is ever compromised, then the attacker now has immediate access to ALL of their customer accounts." Not to nitpick, but this is not necessarily true. I can imagine a CS person setting the password through the GUI and then emailing the cleartext to the customer.
	· actions · 2022-Feb-2 10:19 am ·
grand total join:2005-10-26 Mississauga ·Anveo Hitron CGN3 MikroTik RB750Gr3 MikroTik wAP AC	grand total Member 2022-Feb-2 11:54 am said by druber: Not to nitpick, but this is not necessarily true. I agree, not necessarily true, but probably. Any organisation which has not implemented something more secure that this in 2021 is probably storing the password as plain text. Unfortunately I know developers who still think this sort of thing is OK.
	· actions · 2022-Feb-2 11:54 am ·
crazyk4952 Premium Member join:2002-02-04 united state	crazyk4952 to druber Premium Member 2022-Feb-2 7:18 pm to druber I stand by my comment. Run far away from this company. It is only a matter of time before there is a data breach and all accounts are compromised.
	· actions · 2022-Feb-2 7:18 pm ·

Nezgar join:2004-06-13 Regina, SK	Nezgar Member 2022-Feb-3 10:39 pm The script that generates the password could send it by email, then hash and save it... doesn't mean it is not hashed on save... thats purely speculation. Who knows how their script runs, and in which order.
	· actions · 2022-Feb-3 10:39 pm ·
dmd join:2020-09-02 Kitchener, ON ·Start.ca	dmd to crazyk4952 Member 2022-Feb-19 7:19 am to crazyk4952 said by crazyk4952: I stand by my comment. Run far away from this company. Absolutely. I don't even know why this is even being discussed. Emailing a password is atrocious. OP must assume system passwords are stored in plain text, which is far more common than one might think. Account compromise is only a matter of time. Not if, but when.
	· actions · 2022-Feb-19 7:19 am ·
Davesworld join:2007-10-30 Thermal, CA	Davesworld Member 2022-Feb-22 2:09 pm said by dmd: said by crazyk4952: I stand by my comment. Run far away from this company. Absolutely. I don't even know why this is even being discussed. Emailing a password is atrocious. OP must assume system passwords are stored in plain text, which is far more common than one might think. Account compromise is only a matter of time. Not if, but when. Do you really think any provider much less a huge wholesaler like this would allow their servers to have a zillion plain text records with passwords which would make all their servers choke to a stall? Not a chance! If you only knew how inefficient and resource hogging large text files would be as these guys cater to huge accounts. It would take the most clueless rookie in the world to even attempt such a thing. Even my small FusionPBX server uses pgsql. Databases are of a magnitude more efficient and can be outputted as text easily when needed and emailed, they sure as hell aren't going to email you a .sql or .pgsql file. I have many various types of services that will email a temp password as text and when you log in and change it, it is matched against a database entry and when you change your password that password is replaced in the same database. While a password change link is nice, it's not very secure either. They are an SBC akin to Anveo Direct. If you aren't running your own server and using them as an SBC it's irrelevant anyway.
	· actions · 2022-Feb-22 2:09 pm ·

Forums → VOIP etc → VOIP → VOIP Tech Chat	« Flowroute changes direction on E911 fees • Obi200 alternative »
This is a sub-selection from BULKVS.COM emails the account password to the user