While sending passwords in plain text via e-mail is something that should be frowned upon, the e-mail itself is not evidence that they store your password in plain text.
Everyone here implies that passwords are stored in just another table of the database. There are other more sensible scenarios. For exmaple: authentication servers which talk to the front end using CHAP, well behind internal firewalls and with dedicated hardware which holds the private keys and encrypts/decrypts the data.
This has been discussed before. The ability to recover passwords has bussiness value, so at the end its a tradeoff between risk and money.
if your application can access the password, there is a very high chance so can somebody that has application level access to your machine can just do whatever your application does, you cannot hand wave that away with "smart cards", "encryption" and "firewalls".
Having a stored password in any format except for one way hashing is a massive and _unnecessary_ liability.
Before you take the time to reply with another convoluted shell game of keep the password away from the hacker, consider the actual necessity and value of a recoverable password. Does it really outweigh the massive security problems?
Anyone that has application level access to your servers can still get your password very easily, for example every time you log in. Why is having a means to decrypt the password so much worse?
You misunderstand the point of password hashing, it is not about preventing people from breaking into the machine containing the hashes, it is about limiting the damage they can do with millions of passwords as a result of doing so. Most people do not bother to change their password from service to service, login to login. So instead of a breech on one system, you potentially have a breech on thousands.
Not if you are doing your login correctly. You shouldn't need to send passwords to a server to login, just hashes of passwords. That's the point. If your server ever needs to see a real password after the account is created or the password is updated, you have introduced a new vector of attack.
Done correctly, login is an exchange of hashes, not encrypted passwords.
A simple way to do this would be to send a unique, random salt S for every login, and the user would reply with e.g. sha1(password + S). However, to be able to check that the answer is correct, you would need to know the user's password, in plain text, which brings you back to square one.
To securely do this, you would need commutative hashing functions, i.e. hashing functions f(x) and g(x) such that f(g(x)) = g(f(x)). Actually, to be completely safe, you would need to be able to generate a whole (preferably infinite) family of commutative hash functions g(x), a random one for each login. I have no idea if such functions exist, more importantly, if they are known, it's an interesting idea actually.
In most cases, anyone that has application level access can already do the things an ordinary user needs authentication for. The password is irrelevant, unless you want to find it out to access another system you don't already have permissions for.
You say it's _unnecessary_ and "there's high chance of someone accessing the password". Under that premises, obviously, it's foolish not to use one-way hashing. Mine is that may provide value and there are sensible ways of mitigating the risk, miles away from accessing the data directly from your application, by using software and hardware designed and implemented by security professionals. That's all.
The problem is, the application fundamentally HAS to be able to access the password, either through direct comparison to authenticate, or some mechanism to mail out the password. This fundamentally cannot be separated, that's why hashing is always better, and why the risks are nearly impossible to meaningfully mitigate.
How does that statement hold true? I can easily think of an application that just uses a simple service on a separate box behind a firewall that only accepts an email and then sends the password. Authentication works via CHAP or any other auth protocol. The application itself never has access to the plaintext password.
Granted, an attacker may gain access to the app-server and then proceed to crack the authentication server, but he could also just rig the application to pass on any password it receives. Just about as good as cracking the auth server and far easier to do. (Added bonus: works for hashed passwords just as well).
Granted, this may seem tons of work for a simple solution, but from there on, it's a business decision.
From the article, possibly damage to a satellite. However, a really big one, like the Carrington Event of 1859 would take out long distance power transmission lines, most satellites, and unprotected electronic equipment. No Internet, airliners falling out of the sky, probably months or years before everything was fully restored.
I don't think it's really about being smart. Having a basic grasp of language so you can adequately articulate yourself in a conversation is critical to discussion. If you can't, then you probably shouldn't be taking part in the discussion anyway.
Too many people will spill there emotions into a discussion with sub standard spelling and grammar which makes it very difficult for others to understand them, which leads to inevitable misunderstandings.
The grammar issues presented on this page are picayune distinctions with very little potential for major misunderstandings. Getting them correct is more of a social signal than anything else, like eating salad with the correct fork in some places and not eating food with your left hand in others.
I have real trouble imagining that a good point made with substitution erros is somehow less critical to the discussion than a poor point that doesn’t confuse it’s/its.
More importantly, I think it's fair to ask that people learn basic grammar, and if we don't take it upon ourselves to insist on seeing correct grammar, then that will never happen. That's why I think being a so-called grammar nazi is important. Now, being a dick about it is a different matter, but somehow people think you're a dick regardless if you try to correct their spelling/grammar, so there's only so much that can be done there.
That said, there are definitely some levels of pedantry that can be varied. For example, I tend not to be too put off by it's/its. There/their/they're, however, is annoying for me, because the words themselves have such monumentally different meanings. Same deal with fair/fare. Then/than is annoying to me because I actually pronounce them (subtly) differently, so as I'm internally reading the words, it throws me even more.
Overall, I'm really agreeing with you -- I don't think there is serious potential for misunderstandings. And indeed, a good point made with grammatical mistakes is more important than a correctly-made bad one. But a good point made in `proper' English is, I think, better than a good point made in `bad' English.
In simple social situations that may be true. But not being able to grasp the basics of language will have an effect on how someone communicates complicated thoughts and ideas.
How would you expect someone taking on a programming challenge of say, an operating system, without the basic understanding of boolean logic to fair?
In the Netherlands the situation is pretty much the same. I personally never use recruiters to find a job. I had put my CV shortly up on a website and got harassed months after with job vacancies that didn't even relate to my CV. Most developers around me also hold a grudge against recruiters and see it, like mentioned in your article, as a necessary evil.
In the Netherlands, the recruitment market has in the past few years been flooded with extremely aggressive recruiters from the UK. The majority the recruiters I encounter are British, even though they are recruiting Dutch developers for Dutch employers.
It's a global issue. A lot can be done to change it though. Have a look at my previous post 'Questions from my experiences as a recruiter on Hacker News' for tips on how to deal with sub-par recruiters.
I think the advice you give is interesting, though i'm more curious to hear why you think people should use a recruiter in the first place? I can see the potential training or retouching of a CV, but i feel somewhat confident that i got that right. So then, what's left?
And isn't the harassment a trade-off for, as what i perceive, being too lazy to find a job yourself?
