Create accountLogin

Recent searches

No recent searches

Search options

Not available on elekk.xyz.
elekk.xyz is one of the many independent Mastodon servers you can use to participate in the fediverse.

Administered by:

Server stats:

70
active users

elekk.xyz: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.4+glitch

Public

@noelle Sounded like they were logging requests without masking passwords, not storing them in plaintext specifically

@zigg According to their own blog post, they were writing passwords to their logs without hashing them first. It wasn't just requests, it was the actual passwords.

·Public·Web
0boosts·0favorites
Public

@noelle Yes, but “storing them in plaintext” implies they weren’t hashing them at all—when they were and storing them properly hashed, but accidentally logging some intermediate phase of a request that needed to handle the cleartext, in this case login validations.

Public

@zigg No, hang on. You're making some weird assumptions here. "storing them in plaintext" doesn't make any statements about what else they're doing with them. They could store them in plaintext /and/ hash them into their database and they'd still be storing them in plaintext. As for what they were logging, they /literally said/ they were logging the plain text of the passwords.

Quiet public

@noelle @zigg so... you're sort of right?

the issue is, i think, that the phrase "storing passwords in plaintext," as it is used, has come to mean something more specific than "has storage somewhere which ends up containing the plaintext of passwords."

because language ( in any field ) is a weird and dynamic beast. 🤷

Quiet public

@gdkar @noelle Yeah, that's what I was thinking. In most cases I would say that "store" is the verb that means to put in a database for later retrieval, and "log" that means to write to a log for debugging.

And the latter is _definitely_ something I've had to tiptoe around when working with request loggers—it's very easy to accidentally write sensitive data to a log when logging requests unless you make sure it's been excluded.

Quiet public

@zigg @gdkar I would say that it's dangerous to get into the habit of thinking that logging data isn't storing it. Anywhere you put data that isn't explicitly temporary is a data store, and remembering that is critical to data security.

Quiet public

@noelle @gdkar 👌🏻 advice. Let's not even think about how logging is a cloud service these days 😅

Quiet public

@noelle @zigg like, yes? but also i'm.... pretty sure colloquially "storing password in plaintext" implies a fair number of other things about password handling. ( even outside of the "store vs. log" distinction. )

but, like, also i'm a tangentially-infosec person, not a sys/ops person, so..... extremely-🤷

Quiet public

@gdkar @zigg That's possibly true, but at the point where a major service company is saying "we had several months' worth of passwords from login attempts logged in plain text", the difference between "stored in plaintext" and whatever non-jargon word you'd prefer is pretty slim to the average user. :)

Quiet public

@zigg @gdkar I mean, if you're even tangentially infosec then you're not the average person, and the average person has no idea how passwords are supposed to be stored, let alone the difference between a log and a database.

ExploreLive feeds
About