Why does Moniker.com send passwords in CLEAR TEXT?!!!

[outrageous]

I was shocked to get an e-mail with my account's pasword in clear text,
along with my real name! That's like giving the world my password!

A legit company doesn't even EVER *KNOW* a user's password!!! They have no damn business doing that. I'm disgusted. I hope they learn something about security and respect their patrons privacy better. I am very very very disapointed and was completely shocked to see how careless they are with their user's information.

We use handles and passwords to keep a modicum of security and anonymity. I don't want someone getting that info from e-mail through servers and then trying to crack other accounts or hack me.

Shame on Moniker!

Examples of what I mean...

What if you register an account with Moniker, and you're reading your e-mail, and your precousious teen is looking over your shoulder, or co-workers when that e-mail is up. They'll see your password when you get the confirmation e-mail from Moniker, and you won't even realize that they are so careless with your information until AFTER you give it to them!

With UNIX and Windows, the OS doesn't even STORE the *real* password. Yes, it can be done so that the system that uses the passwords never even knows your password. It is an old technique. Several decades old, in computing.

It works like this:

User enters password and it is crunched through an algorithm to a 'hash' code, that is a one way encryption that yeilds a large number. Everytime that same password is hashed, it yeilds the same number. Other passwords can also yield that same number, but only one in many millions or billions will.

There is no way to go from the hash back to the original password. It is the hash code that is stored in the user's account.

When the user logs in, the system hash's the password and compares the hash of the login attempt to the hash in the account on file.

The company NEVER stores the real password, and protects the whole transaction to protect the consumer from being hacked by the public, and other users on the computer.

I'm just so disappointed that sites which are involved with valuable things and big transactions are compromising customers.

PLEASE, PLEASE, Moniker, fix this soon and let us know.

 

[goodkarmaco]

I was just reading a very large article, ( about half a page) in the Wall St Journal about hijackers taking domain names. It is a very large problem. Most of the domain names taken were thru the email, so you have a very good point. What is upsetting is Monte from Moniker is qouted in the article in the article, yet the company is doing it?.

 

[goldensword]

i m shocked to here this.better b careful

 

[psalzmann]

What is upsetting is Monte from Moniker is qouted in the article in the article, yet the company is doing it?.

You've got to be kidding!

 

[Peter]

It is somewhat bad practice to keep passwords stored in the database. The only thing that should be stored is a hash of the password (hashing is 1 way although it can be broken). It is possible that Moniker store them encrypted but anything that can be encrypted can be unencrypted.

Instead of sending you the password they should make you reset the password through going through a secure procedure.

 

[mis_chiff]

PLEASE, PLEASE, Moniker, fix this soon and let us know.

Have you emailed or called them with your concerns directly?

I personally would not post a detailed flaw in a public forum
about any system that could affect my security, you never
know who's eyes are watching, let's not point them to the
open door!

PS. Welcome to the forum!

 

[DJ]

I will be checking this with my rep over at moniker, but to be honest i am not inclined to believe this. Moniker has the highest security measures i have encountered uptill now, this would seem very strange if this was true. anyway, i will be asking for a small comment in this thread from their side.

 

[Pred]

Is their a Moniker rep on Namepros? Can he give us their take?

 

[mis_chiff]

There are a few that I know of, but might as well start at the top Monte

 

[Kate]

It is somewhat bad practice to keep passwords stored in the database. The only thing that should be stored is a hash of the password

Exactly. Perhaps Moniker is a bit overated as a registrar :hehe:

 

[goodkarmaco]

Believe it, it has happend to me recently.

 

[mcahn]

All emails leaving our server are encrypted so what may look like text as it lands in your email box, is encrypted coming in.

 

[networkmsia]

All emails leaving our server are encrypted so what may look like text as it lands in your email box, is encrypted coming in.

Good to have Monte Cahn here at Namepros. Thanks for the clarification.

 

[outrageous]

All emails leaving our server are encrypted so what may look like text as it lands in your email box, is encrypted coming in.

Are you sure your engineers are giving you the correct information?
When I created an account, an e-mail was sent to me with my REAL name and my handle and my actual password. How could it be encrypted leaving the server if there was no certificate exchange and I'm using ordinary POP or IMAP email? If you're encrypting e-mail, it implies de-encryption on the receiving side, and for that, both sides have to agree. And most people are not set up with e-mail certs.

I'm sorry about coming unglued this morning. I could have been a little more polite in the way I put it, except I've used that password in other places, and I was really surprised to see that you even TRACK the password rather than store a hash. I think you owe it to your customers to 'get with the program'. Just look how just about any other serious site that manages passwords handles is, and you'll see they don't do what you do. Go ahead, make an account, log in, and walk through the password process. The really good sites give you an opportunity to reset your password, rather than tell you what your previous password is. And they are not storing it anywhere.

The mediocre sites, that do save passwords somewhere in clear text (which is not cool at all, IMO) won't send you your password unless you *request* it.

Anyway, I don't know what you mean by it leaving the server encrypted. From what I can tell, as it hops around the servers from point A to point B anyone can read that e-mail as clearly as I can, and get my personal name, and the password I used and the account name. How exactly are you preventing that from happening?

====
OK, I've thought about that. I understand, you're not sending clear text.
But as I explained in private e-mail to you, you need to beef up security.
What I would do at this point if I were you is:

-- Stop sending real name/handle/password under any circumstances in the same e-mail.

Until you revise your system, have users call in if they need to change the password. You guys clearly have full access to their accounts, so what does it matter if you know? That's just temporary. And we all have to trust your employees implicitly for the time being.

And then revise your system. Once you tell us you've addressed it, I'll consider using Moniker to list. Unfortunately privacy and security is a reality of doing business on the Internet. I'm sorry you and I found out the hard way that there is room for improvement. Despite the seriousness of the situation, if you fix it quickly, all is forgiven.

 

[goodkarmaco]

Are we safe?

Monte, I just read a article in the Wall St Journal , ( and it was about a half page) talking about " how to protect your domain name". The paper was honored with an interview with yourself where you say domain name theft is a huge problem. Btw, many thks for finding yourself in the frontlines featuring the domain business.

The article goes on from there discussing that most domain thefts are thru someone getting access to passwords or emails. Then changing "who is". I am sure this is a problem for the industry. Are we safe?

 

[sky]

Monte, I just read a article in the Wall St Journal , ( and it was about a half page) talking about " how to protect your domain name". The paper was honored with an interview with yourself where you say domain name theft is a huge problem. Btw, many thks for finding yourself in the frontlines featuring the domain business.

The article goes on from there discussing that most domain thefts are thru someone getting access to passwords or emails. Then changing "who is". I am sure this is a problem for the industry. Are we safe?

Sounds like they're counting on standard attachment encoding to protect you, which isn't secure at all. Just a thin veil. Be careful.

 

[Dave_Z]

Are we safe?

Yes and no. Yes as Monte explained regarding their email, no if one does not
take care of their domain name and email accounts.

Your registrar's contract defines your respective responsibilities. Make sure to
understand yours.

As reflectivist said, be careful.

 

[mcahn]

you need to watch your commercial emails - aol, msn, hotmail, yahoo, gmail, etc. they have all been breached then can retrieve pw and ids from banks, registrars, etc.

we are putting even more security into our password retrieval process - due out very soon.

 

[sky]

you need to watch your commercial emails - aol, msn, hotmail, yahoo, gmail, etc. they have all been breached then can retrieve pw and ids from banks, registrars, etc.

we are putting even more security into our password retrieval process - due out very soon.

Excellent! Thanks

 

[Pred]

All emails leaving our server are encrypted so what may look like text as it lands in your email box, is encrypted coming in.

Thanks for clarifying Sir.Monte :hi: