Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
WELCOME TO THE Weird Wide Web – where we take a look at some of the internet’s best offerings in social media, tech, science and weird news.
Photo Sync
Facebook probably has a lot of your photos already – but it wants more, which is why it is introducing Photo Sync. The new service will automatically upload every single photograph you take with your phone to a private album, and then allow you to choose whether or not you want to make images public.
Convenient or invasive?
Internet Explorer “sucks less”
By the way, that’s not an evaluation. It’s the new IE slogan.
(Reach for the stars, guys…)
Uploaded by internetexplorer
SoPost
Would you like to use your Facebook and Twitter accounts as your postal address? Well now you can: SoPost turns your social IDs into a postal address so family, friends or companies can send things straight to your account without any details of your home address being shared.
Founder Jonathan Grubin says the service could cut down on the stress of re-routing deliveries after a change of address, as the social ID will remain the same even if your location doesn’t – and also protect privacy by allowing consumers to keep addresses private, reports TechCrunch.
Overlayer
Do you want to add custom overlays to you photos?
Of course you do. Stupid pictures of yourself never get old… and Overlayer.com knows that.
This could be you…
(via Overlayer.com)
I’m just like you
After searching Facebook for people with the same name as him, Reddit user CasinoRoy decided to send them friend requests… but only after dressing up like them and replicating their profile picture first.
A better use for Facebook has never been envisioned.
Check out the photos…
Image: CasinoRoy
—
Main image: Peshkova via Shutterstock
To embed this post, copy the code below on your site
Who the hell is Ronan Murphy? Why not get someone who actually knows about security to comment? Ireland has a relatively large and knowledgable infosec community who could give good advice, unlike Mr. Murphy who doesn’t know what he is talking about.
First, storing a password as md5 hash is not much better than plaintext. Md5 is broken and trivial to crack. Passwords should at minimum be hashed using sha256 (preferably sha512) then salted with a random value, then hashed again. That is a minimum.
Secondly, md5 is not encryption. It is hashing. Hashes are used for verification and retains none of the original information.
Was going to say the same thing. Can’t believe that somebody in 2013 is still recommending using an MD5 hash, especially when they appear to think it’s an encryption algorithm.
// sheesh
I just had a look at his profile. It seems he’s the CEO of an MSP. I wonder why he didn’t get one of his engineers to comment? His comment doesn’t inspire much confidence in his company as a security provider.
Better go cash in my 1 billion worth of prize bonds… oh wait, that was a dream :-(
Limited budget resources is no excuse. They just need a line of code to hash new passwords and another line to hash passwords when logging in. Then prepare a script to convert all previous passwords. I could almost do that for free.
How do you know that’s not happening but with reversable encryption
Your not supposed to encrypt passwords. You’re supposed to hash them. Hashing is not reversible. Encryption is.
I don’t, but if they are they shouldn’t. Nevertheless the solution is much the same except with two extra steps, remove the encryption code and decrypt all existing passwords before hashing them.
And yes, it is bad design, because regardless what they’re doing behind the scenes, being able to return a users existing password is an indication that the password is easily accessible. They are not using md5 and dehashing it as that requires brute forcing it, even if they were I’d be enclined to fire the developer for eating up all the server resources for that.
All it requires is one other careless overlook on security, such as an sql injection weakness, and bingo, anyone who can write sql can get all the user passwords because they weren’t hashed.
Oop I didn’t even know I had a password?? I thought I just got a letter in the post if I won ………
This article is absolute load of horseshite. The fact that they email you your password is simply bad design and easily remedied by simply sending a reset link.
However it does not mean that it is stored in plain text. To check that your password is correct it has to be compared to the origional.
Also md5 can be decrypted back to the original. Or maybe they store they have a master encryption key.
Journalist shouldnt write this waffle…..
iT IS POSSIBLE to hack every website…….
Btw md5 is not random
So are you saying that people are not getting their passwords sent by email? never mind the if’s and but’s and what should be done because we know that already, the article points out that our pals at the National Treasury Management Agency don’t know so maybe you should help them out.
@Rehabmeerkat, the point of using salted hashes is that the backend code compares hashes to validate passwords, rather than comparing candidate passwords with the original password. Neither can MD5 “be decrypted back to the original”. Instead, it’s possible, with some work, to find message text which hashes to the same MD5 hash value which is equivalent if the backend code is comparing hashes. Finally, it’s unclear what you mean when you say “they store they have a master encryption key” since MD5 is a hashing algorithm which does not use keys, rather than an encryption algorithm which does (or, are you referring to storing passwords enciphered under a master key, rather than hashing them and comparing hashes? If so, that’s still lousy security practice).
MD5 can be reversed via rainbow tables, check http://md5decryptor.co.uk to see it
That’s technically not reversed. Theoretically there is an infinite number of collisions and you are just finding one by brute force. But when talking about hashed passwords generally the first result is the password.
Yet the Bank Guarantee letters weren’t stored in plain text, …. Or were they….
@NickyRyan_ Thanks for this insightful (although a bit scary) article!
I have to confirm unfortunately that the fact that passwords have been sent via email does mean that they’re stored in plain text or equivalent (maybe encrypted with the key stored not far from there).
Usually, as Robin Hilliard mentioned, instead of comparing passwords, systems should compare “hashes” obtained from these passwords, using a complex hash function. MD5 which is mentioned shouldn’t be used in that case as it can be easily reversed using rainbow tables. The way this works is fairly easy to understand: for millions of passwords, the MD5 result is pre-calculted and stored in a big table (called rainbow table). Then, it’s only a matter of looking up the MD5 result to derive the password.
The proper way to secure these passwords will be to use salted hash: that means that each password in hashed using a unique “salt”.
It’s not to late to burn these Bondholders.
have your say