iThemes

It’s unbelievable that people are using words like “honesty” and “transparency” right now.

iThemes is a company that KNOWINGLY stored plain text passwords for 6 years.
Did they ever mention this until now? No. That’s not honest or transparent.
They were hiding it from their customers for 6 years hoping that no one would ever find out.

Two things are obvious about this:

1) They don’t know what they’re doing when it comes to security.
2) They don’t care about their customers enough to protect them and do things properly.

Want further evidence of this? The main ithemes.com site is loaded over plain HTTP.
They have a login form on every page which posts to another form over HTTPS.
This isn’t secure and it leaves you open to MITM attacks. Their full sign up form is also over
plain HTTP and has the same problem.

These are things you would expect in 2005. Not 2014.

The entire iThemes site needs to be HTTPS enabled with proper redirects and proper HSTS headers.

How about more: they use the default PHP session cookies which aren’t set to either HTTP only OR
secure (which is obviously since they don’t use SSL everywhere).

What’s even worse is after the security breach, they just reset passwords and still continue to
store plain text passwords. And then you hear Cory mention “salting and hashing”.
I hope you don’t literally mean using something like MD5 plus a salt.

Use Bcrypt. This was written in 2007: http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/

PHP 5.5 has proper bcrypt support now: https://gist.github.com/nikic/3707231

Your “counter measures” aren’t enough. This site should be shut down (or put in read-only mode)
until everything is fixed.

All iThemes customers should not be okay with what has happened and how they have dealt with it.
I wouldn’t even log in to this site until it’s at least fully HTTPS compliant.