28 Comments

  1. Samuel "Otto" Wood

    To be fair, if they had a lot of bad logins lately, then testing everybody is a reasonable thing to do. Back when we did the big reset on org in 2011, we just blanked everybody’s passwords out and forced them to go through the two step reset process. Not the best, but the most straightforward thing to do at the time. Didn’t cause too much hassle, although I was dealing with the confused user emails for the next three years (not a joke).

    Report

  2. Knut Sparhell

    Sending a new password i plain text does not mean passwords are stored in plain text. Sending and existing password, on the other hand, will prove it.

    But how can they detect that an existing password is “too simple” when not stored? I guess it would mean walking through a huge list of “simple” and common passwords and compare with the stored salted hash of each user.

    I think, nobody and no script should ever do such, except for anonymous research purposes. The stored hash, and corresponding user ID, should only be retrieved for the purpose of password validation.

    Report

    • Jason Lemieux

      Right. That’s the same question I had: How did they know the passwords were too simple? Shorter passwords generate a hash that is just as long as longer passwords. I’m curious.

      Report

    • mark k.

      sending passwords in email is a bad habit as all you need to do to get it is read access, and since emails are not encrypted every node in which it passes can read the password. For example if you use exchange then the admin of the server can read your emails, and same goes for google apps.

      Getting password in an email is like putting it on a paper and trying to hide it.

      As for how did they know the passwords are bad, this probably can be done without having the password in plain text by using some rainbow tables for a quick brute force attack against the account.

      Report

      • Matt Radford

        If they have brute forced the salted and hashed passwords in order to expose short or common passwords, then I think they’re being security conscious. I’m not sure its right to crack your customers own passwords, but if they’re doing it to improve security in the context of increasing bad login attempts, then ok.

        But the way in which this has been carried out does not give me confidence that they have security best practice in mind. If they couldn’t send password reset emails then blanking all passwords would have been better. My password was perfectly secure until a new, shorter one was emailed to me in plaintext.

        Report

      • David Coveney

        To be fair, if they can read your emails, they can do a password reset and get in as well. Most people’s email accounts are the central core of their online identities. Which is why you should use two factor authentication on email and only go with good providers who know what they’re doing.

        Report

      • mark k.

        That is not exactly true. If I need to reset a password in order to login into your WPML account then most likely you will be notified and will be alerted to the fact that someone is trying to do bad things with your account. To avoid you noticing it I will need to prevent your access to your email, something that you will notice as well sooner then later.
        So if I have a RO access to your email and you just sending unencrypted data in it I may as well just seat quietly and do nothing.

        And then there is the issue with not so private computers in the household and workplace. Do you really want your kids to have free access to your amazone account?

        Report

    • David

      WordPress didn’t enforce strong passwords until 4.3 (recently released). It is easy to deduce that there are going to be weak passwords.

      Report

  3. Mark Barnes

    It’s easy to write a plugin that would measure the strength of users passwords. You just intercept the $_POST variable when users log in.

    As to emailing only customers who had weak passwords, I received this email and my previous password was something like “Mf7JU!eP43ps”. Not fantastic, but hardly weak.

    I don’t see a problem with emailing customers passwords, so long as you insist that they change the password after log in. But you’re right, a password reset email would have been much better.

    Report

  4. Kristian

    My password was 15 characters, upper/lowercase mix, 4 numbers, and 2 “odd balls”.

    On https://howsecureismypassword.net/

    a similar password gets the result “It would take a desktop PC about
    157 BILLION years to crack your password”.

    How can that be a weak password??

    And I could change back to my old “weak” password again!

    Report

  5. Stephen

    Thanks very much for the explanation – I thought it was spam – and as you say – there was nothing on their web site it. Keep up the good work being at the forefront on WordPress matters !

    Stephen

    Report

  6. Jeffrey

    It is not a good idea to send new password in plaintext. Period. They should instead initiate a password reset email and let the user to change their password by clicking a reset link in the email.

    Report

  7. Amit Kvint

    Hi guys,

    We did post around noon today – https://wpml.org/2015/09/password-update-email-from-wpml/

    Cheers!

    Report

  8. Stefan

    So, to put it into a nutshell:

    1. they decided that some of their customers may have insecure passwords

    2. to make these accounts more secure, they’ve sent the new passwords of all of these accounts in plaintext via unsecure email to the customers

    3. any user that logs in with the new “secure” password can easily change it back to their old, “unsecure” password

    4. before and while sending these emails, that very easily may have been considered as phishing emails by their customers, they haven’t published any information about the whole process on their company blog, so their customers weren’t able to verify the source and authenticity of these emails

    5. after many users and blogs complained about the whole thing, they published a blog post stating in the end that “As always at WPML we are committed to learning from our clients”, although the initial intention behind the whole thing seems to be that their clients should learn from them and set more secure passwords for their accounts.

    Call me crazy, but I thought that a professional company – developing some of the most important, commercial wordpress plugins – does not require to learn from their customers how to implement a basic level of security, trust and professionalism…

    As someone stated in the WPML support forum, with the above Facts in mind, it is at least questionable if they are able to maintain a decent level of security in all of their wordpress plugins…

    Report

    • Amit Kvint

      Stefan,

      I agree with you as for the lack of communication (points 4 & 5) from our side, but the rest seems to me a bit exaggerated.

      No account was compromised and the simple fact is that at the end of the day strong passwords are an essential part of online security and are at the hands of each user.

      As we said we’ll review how all this process was handled and make sure we learn from it.

      Cheers!

      Report

Comments are closed.

%d bloggers like this: