I think someone is trying to hack my account - or are they? July 2, 2004 8:43 AM   Subscribe

"Your MetaFilter password request"
You requested your MetaFilter password, and that is: [snip]

Login with your username and password here:

Uh, no i didn't! What's going on here? Is someone hacking accounts or is this a bug?
posted by internal to Bugs at 8:43 AM (14 comments total)

neither. someone ignorant (or mischeivious) requested your password. so mefi sent YOU your password. it DID NOT send it to whoever requested your password. it's a safety mechanism.
posted by quonsar at 9:14 AM on July 2, 2004

Somebody is probably attempting to hack accounts but like quonsar said the password isn't being forwarded to them so their attempt failed.
posted by substrate at 9:27 AM on July 2, 2004

I thought there was no mechanism in MeFi for requesting passwords. Could this be some Matt related testing of new features.
posted by seanyboy at 9:33 AM on July 2, 2004

seanyboy: Log out, go to login. Type in the wrong password. You get prompted for something like 'Lost password? Enter your account' and then it gets e-mailed to the address on file.
posted by xmutex at 9:44 AM on July 2, 2004

What's this "logging out" that everyone keeps talking about? </obligatory>

And I always thought the "Somebody who may or may not have been you" aspects of these messages were extraneous. Guess I was wrong.
posted by DrJohnEvans at 10:10 AM on July 2, 2004

I wonder if this might have something to do with internal's username. Like back when there someone found out there was a user account named "test" with a highly guessable password, and people had some fun. I can't seem to find that thread now. was it deleted?
posted by GeekAnimator at 10:22 AM on July 2, 2004

That would be demo you're thinking of.
posted by Johnny Assay at 10:28 AM on July 2, 2004

That would be demo you're thinking of.

oooooooohhhhh. My memory is failing me in my old age. thanks.
posted by GeekAnimator at 10:38 AM on July 2, 2004

Not quite, there was a test account too. Scroll further down.
posted by fvw at 11:36 AM on July 2, 2004

I got one of those a couple years ago.
posted by StOne at 12:53 PM on July 2, 2004

I've often invoked password reminders incorrectly when I've gone back to sites I used to frequent 'years and years ago' and thought I had a certain username which I probably did not. I wouldn't get the tin foil out just yet.
posted by wackybrit at 12:57 PM on July 2, 2004

Without bothering to check by actually requesting my password mailed to me: passwords stored in the database aren't encrypted?

Wouldn't it be a little more secure to email a new random-character password?

My thinking is this: if someone wants to hack your account, they start packet-sniffing your email, and request the password sent to your email account. Granted, either way the hacker sees a password, but with the random character password generation, you're likely to change the password upon having it issued, which would limit the time the hacker has to do whatever it is they're doing (e.g. collecting members' email addresses). Granted, once they see the generated password, they could log in before you do and change the password, essentially stealing the account, but at least this way you'd be more likely to notice and ask Matt to rectify the situation. If your "usual" password is mailed to you in plain text, the hacker could see this and:
a) Use your account to collect otherwise hidden information without you noticing, unless you change your password, which most users are unlikely to do.
b) Take that plain-text password and start trying it on other accounts of yours (found or guessed by reading your profile and/or linked website/weblog). Most people do not use different passwords on all their accounts.
c) Do other things. I'm not a hacker. I would assume that most hackers are more creative than I am.

Matt, wouldn't it be wise to store an md5 hash in the database instead of our actual passwords? How hard would this be to implement? I use hashed passwords on everything I do, and while I admit that I didn't write most of the actual code I use, I have converted a few of the web applications I use from plain-text to hashed without too much effort...
posted by quasistoic at 2:02 PM on July 3, 2004

Eh. Quasistoic's scenario is plausible but not all the likely, I would think. Besides, the login page isn't even https, so your password is sent in the clear whenever you log in. Any attacker who wants to sniff packets of yours is either probably going to need nearly direct access to you machine unless you're conencted to the network with a hub and not a switch, or access higher along the network food chain. The arrival of cheap network switches has largely killed network-wide packet sniffing.

But come on. It's *metafilter*. It's not a bank or something. I encrypt passwords on my sites out of habit but there's almost no point to it, except on the 2 commercial sites I have where someone could theoretically steal something from you.
posted by RustyBrooks at 7:39 PM on July 3, 2004

Weird. I posted a clarification ("I got one of those" meaning I once got an unasked-for password email) right after my first comment. It posted. It's gone. Another headscratcher.
posted by StOne at 9:01 AM on July 4, 2004

« Older How do you picture the bona-fide MeFi celebrities?   |   Is there a time interval one should wait before... Newer »

You are not logged in, either login or create an account to post comments