Last active
August 29, 2015 14:06
-
-
Save swalkinshaw/ac674b72dc82965b0670 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It’s unbelievable that people are using words like “honesty” and “transparency” right now. | |
iThemes is a company that KNOWINGLY stored plain text passwords for 6 years. | |
Did they ever mention this until now? No. That’s not honest or transparent. | |
They were hiding it from their customers for 6 years hoping that no one would ever find out. | |
Two things are obvious about this: | |
1) They don’t know what they’re doing when it comes to security. | |
2) They don’t care about their customers enough to protect them and do things properly. | |
Want further evidence of this? The main ithemes.com site is loaded over plain HTTP. | |
They have a login form on every page which posts to another form over HTTPS. | |
This isn’t secure and it leaves you open to MITM attacks. Their full sign up form is also over | |
plain HTTP and has the same problem. | |
These are things you would expect in 2005. Not 2014. | |
The entire iThemes site needs to be HTTPS enabled with proper redirects and proper HSTS headers. | |
How about more: they use the default PHP session cookies which aren’t set to either HTTP only OR | |
secure (which is obviously since they don’t use SSL everywhere). | |
What’s even worse is after the security breach, they just reset passwords and still continue to | |
store plain text passwords. And then you hear Cory mention “salting and hashing”. | |
I hope you don’t literally mean using something like MD5 plus a salt. | |
Use Bcrypt. This was written in 2007: http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/ | |
PHP 5.5 has proper bcrypt support now: https://gist.github.com/nikic/3707231 | |
Your “counter measures” aren’t enough. This site should be shut down (or put in read-only mode) | |
until everything is fixed. | |
All iThemes customers should not be okay with what has happened and how they have dealt with it. | |
I wouldn’t even log in to this site until it’s at least fully HTTPS compliant. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment