I have noticed this flaw from the very begining.. but never really paid attention to it, and never seemed to find anyone bothered, interested or caring about it, in a world where security is so valued these days... especially after the Snowden thing...
I noticed that in the Settings, we are able to change the account password. WHAT WAS ALLARMING!!! was the fact that I have the option to "Show password", which upon clicking it, I CAN ACTUALLY SEE my own password in plain text..
Not only I'm bothered that the site doesn't use SSL encription and the login credentials circle freely on the network for anyone sniffing it... BUT MY MAIN ISSUE HERE, is that you are able to see my password, which means that it is NOT HASHED. Hell.. I don't even know if it's encrypted in the servers... but the fact that you can descrypt it is ALARMING and a MAJOR security flaw. Passwords are meant to be HASHED with random salts, NEVER encrypted (I hope it's at least encrypted...)
Should I feel safe? Knowing that my password can be seen by anyone who has access to the database?
NO, I DON'T FEEL SAFE!!! This is something that must be corrected ASAP. And I do mean ASAP.
I see many changes around here lately, and I kept myself silent waiting for this to change, but I feel like I must bring this issue up. Nobody ever mentions it.. because they're not aware of the implications of this or the details behind the implementation. I DO!!
I'd like some feedback from any admin please. And general people on here... if any of you actually understood what I meant.
PS: if you ban this question, I swear I'll make my self heard!!
Most Helpful Girl
You're not breaking any rules so stop acting like a child. Myself is also one word.
You can send in suggestions and contact the admins here http://www.girlsaskguys.com/contact0
Most Helpful Guy
You just noticed this? Anyways, this is not "major security flaw" like you're describing it... if their databases get compromised then yeah, it becomes an issue. Otherwise, since you know the passwords is in clean-text, just make sure GAG's password is not the same as your E-mail's password...3
- Show AllShow Less