Heatware probably stores your password in plaintext

[LightningCrash]

I generated a long password for HW, when I got back around to it today it did not work, so I did password recovery.

The recovery email sent to me contained a truncated version of the long password I had used.

Just make sure you're not using a password here that is used anywhere else.

 

[timtheenchantor]

Hm, disappoint.

I will make sure of this, thank you for the heads up.

 

[asyork]

In case anyone is curious, it cuts it down to 15 characters. It fails to tell you this anywhere, and your login will fail until you enter just the first 15 characters.

 

[Zangmonkey]

therefore it is stored in plaintext or a reversible encryption.
Neither are acceptable.

 

[CEpeep]

I've passed this thread along to them. Hopefully this is something they will fix and take seriously.

 

[BinarySynapse]

therefore it is stored in plaintext or a reversible encryption.
Neither are acceptable.

It simply means the code that encrypts and stores your password only accepts the first 15 characters it receives and the code that compares your password to the stored one apparently does not truncate your input. So the comparison fails.

Implementing a method to recover passwords means reversible encryption has to be used.

 

[Crucible1001]

After all this bs I decided to make a txt file and fill it with all new passwords, each unique to each site. I just hammered in letters and numbers for each. Now I just need to keep this list on a couple USB keys and I am good to go.

 

[LightningCrash]

It simply means the code that encrypts and stores your password only accepts the first 15 characters it receives and the code that compares your password to the stored one apparently does not truncate your input. So the comparison fails.

Implementing a method to recover passwords means reversible encryption has to be used.

Still not very secure.

Educate:
http://codahale.com/how-to-safely-store-a-password/

 

[WorldExclusive]

Interesting that HW doesn't ask for the current password to create a new one.

 

[Zangmonkey]

Implementing a method to recover passwords means reversible encryption has to be used.

... and reversible encryption is not an acceptable way to store passwords.

 

[Pac-Man]

After all this bs I decided to make a txt file and fill it with all new passwords, each unique to each site. I just hammered in letters and numbers for each. Now I just need to keep this list on a couple USB keys and I am good to go.

I'd recommend using KeePass or FF/Chrome's built-in password manager (the latter two you can sync to FF/Google's servers, respectively). They all allow you to encrypt the password DB with a master password, so if someone else gets hold of your USB key, you're not hosed.

You can also stick the file in an 7z or RAR archive and use 7z or RAR encryption.

 

[Pkirk618]

or you can use "password" as your password.

heh.

 

[450]

or you can use "password" as your password.

heh.

*changes password*