Cupid Media hacked, 42 million passwords was stolen, all stored in plain text - Polidicks

[QUOTE]Up to 42 million lonely hearts have had their personal details stolen from an Australian online dating service. A hacker targeted the niche dating service Cupid Media, which is run out of Southport on the Gold Coast, earlier this year, stealing client names, email addresses, unencrypted passwords and birthdays. The data was found on a server on which hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the US National White Collar Crime Centre (NW3C), among others.[/QUOTE] [URL="http://www.smh.com.au/it-pro/security-it/cupid-media-hack-exposes-42m-passwords-20131121-hv3ok.html"]smh[/URL]

Store your memberbase's passwords as hashes, people. It's not hard. These incidents happen just frequently enough that it should be obvious to not use plain text.

Having unencrypted passwords is just asking to get your servers broken into. No company should have passwords that aren't stored as hashes at the very least.

In case of actual for profit business, storing passwords of your customers in plaintext should be illegal and chargeable with a big fine.

Dating sites are known to inflate their member numbers by buying information and have the accounts automatically created and then used for advertising.

[QUOTE=PeejsterM;42934194]Store your memberbase's passwords as hashes, people. It's not hard. These incidents happen just frequently enough that it should be obvious to not use plain text.[/QUOTE] [quote="some guy who wears a tie and gets paid six figures because he knows how to build SQL servers"]But that means I have to WORK! I didn't apply for this job to do that! Nobody will ever know that we use plaintext anyways.[/quote]

[QUOTE=PeejsterM;42934194]Store your memberbase's passwords as hashes, people. It's not hard. These incidents happen just frequently enough that it should be obvious to not use plain text.[/QUOTE] Requiring a highly paid consultant to write md5(password) instead of password is completely unreasonable. If you also insist on using a salt then the chance of the consultant doing that is even lower.

[QUOTE=helifreak;42934313]Requiring a highly paid consultant to write md5(password) instead of password is completely unreasonable.[/QUOTE] anybody who is paid anything should be able to see what a god awful idea hashing a password with md5 would be

Many account on those sites are fake aswell, made just to scam money from lonely guys.

[QUOTE=helifreak;42934313]Requiring a highly paid consultant to write md5(password) instead of password is completely unreasonable. If you also insist on using a salt then the chance of the consultant doing that is even lower.[/QUOTE] md5 is broken though :(

[QUOTE=elevator13;42934804]md5 is broken though :([/QUOTE] You shouldn't store the password as anything that can be read.

[QUOTE=helifreak;42934313]Requiring a highly paid consultant to write md5(password) instead of password is completely unreasonable. If you also insist on using a salt then the chance of the consultant doing that is even lower.[/QUOTE] Isn't Sha2 the in thing for password hashing right now?

[QUOTE=mdeceiver79;42934865]Isn't Sha2 the in thing for password hashing right now?[/QUOTE] Bcrypt is the best thing, as far as I know.

[QUOTE=PeejsterM;42934194]Store your memberbase's passwords as hashes, people. It's not hard. These incidents happen just frequently enough that it should be obvious to not use plain text.[/QUOTE] And in some countries, legally required