No, that doesn't make sense at all.
https://twitter.com/ppentestlabs/status/1202906268991664128 …
-
This Tweet is unavailable.
-
Replying to @svblxyz
Hmm, I dunno, the usual complaint people have about storing passwords in plaintext is that lots of people reuse passwords, so stealing them is valuable and they should be protected. They're saying they can prove their users don't reuse passwords, so stealing them is pointless!
5 replies 0 retweets 13 likes -
but why do they think they need a plaintext copy of it in their DB "To send it to you if you forget it" when standard practice is to generate a new one and send that to the user?
2 replies 0 retweets 5 likes -
Yep, they absolutely should just regenerate it. That said, not sure that's worth the ridicule they're getting!
3 replies 0 retweets 7 likes -
I think the expectation is that a pen-testing company probably should foresee the consequences of such decisions a bit better if they're any good at their jobs. Though, maybe it's because people just love a good public shaming.
2 replies 1 retweet 1 like -
I dunno, seems to me they thought about it more than people just toeing the line! Their system is better than most, even if we can nitpick some design issues, it really protects password reusers. They're getting more hate than a company that uses raw-md5
2 replies 1 retweet 7 likes -
Their reasoning for the design choice - "support forgot password use case" - is why I doubt they really thought it through...
1 reply 0 retweets 1 like -
They should have just had a regenerate password button, it's easier to implement and handles the revocation case as well. That said, is it really that bad? There's room for improvement, but this protects password reusers better than a typical system, no?
4 replies 0 retweets 3 likes
I think if they had used a salted hash and asked for a password, nobody would care, but that's literally worse than this system, right? If you're a password reuser, this system is safer. If you're not, then who cares what they do with their passwords? 
-
-
This safeguards against "inbound reuse", yes. But outbound reuse is not in their control, right? Something like: "This new website is asking for a crazy password, and I have this sticky note for that other website already on my monitor, so let me reuse it"
1 reply 0 retweets 0 likes -
But I think we can all agree they got more flak than they deserved.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.