[conspire] Ugh, don't you hate it when (password insecurity) ... Re: P.S. - additional security bug Re: site password bug(s) - security, etc.

[Michael Paoli]

Ugh, don't you hate it when (password insecurity) ...
I had to dumb down the password I used on the site to a
14 character alphanumeric password for it to both
accept the change and actually be able to authenticate with
the password.

<sigh>

Yeah, I've ranted about this kind'a thing before, and how
sites should *properly* do passwords ... but far far far
too many still get it wrong (they keep reinventing the wheel,
... very very very poorly).

Is it about time to start shaming sites/organizations that
can't do password security properly - I mean this is an issue
that's been well solved for decade(s) or more now.

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> To: customercare at redcross.org
> Subject: P.S. - additional security bug Re: site password bug(s) -  
> security, etc.
> Date: Fri, 21 Dec 2018 05:16:42 -0800

> P.S. - additional security bug.
>
> After you email a temporary password upon password reset request,
> that should force changing the password upon first use.
> That only happens if one enters it on the same web page where
> the reset was reqested - if one instead uses
> https://www.redcrossblood.org/account-login.html
> user is not forced to change password
> (so they're then using less secure / insecure password, that was
> emailed across The Internet, quite possibly in the clear,
> and has probably also now been stored in the clear).
>
> Once the temporary password has been issued, it should force change
> of that password no matter how the user enters and authenticates with
> it at any applicable site or entry point of Red Cross that uses that
> authentication.
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: site password bug(s) - security, etc.
>> Date: Fri, 21 Dec 2018 05:11:10 -0800
>
>> You need to fix your password security/processing.
>>
>> E.g. if I successfully change my password to:
>> s,'+X.FKg]`8pkz&OaAn
>> and that is accepted as shown as successfully changed to that password,
>> the site
>> https://www.redcrossblood.org/account-login.html
>> then fails to authenticate using that password.
>> You need to be consistent in the processing and changing of password
>> and the authentication with password.
>> If you're not:
>> o this indicates a bug - possibly a security bug
>> o security is reduced because:
>>  o people have to pick stupider weaker passwords to work around your bug(s)
>>  o people have to request password resets - which emails passowrds, often
>>    traversing The Internet and/or being stored in the clear
>> o folks will be frustrated with these bugs and just give up or maybe try
>>  later, reducing, e.g. blood donations, etc.