Wednesday, May 2, 2012

Marvel's Security Makes Nick Fury Cry

I'm going to take a break from my JavaScript series for a minute because I need to vent my geek rage about something that just happened to me. I was logging into Marvel's website and I had forgotten my password. So like any other user, I requested my password be resent to my email address. The typical form was filled out and I went to my inbox and read a few emails while I waited.

When the email arrived I was horrified! The email contained my actual password! That means that Marvel was storing my password on their end! The horror! Now I'll admit that I use a different password for every site I log into (I'm not joking). I actually use a pass phrase, when I can. So I'm sure if their database was compromised I'd have been safe. But, storing passwords is an incredibly bad idea. Even if they're encrypted. If the hacker has compromised your network, they'll likely find your encryption keys too.

There are already volumes written about why storing passwords is bad. There are tons of stories of passwords stolen. And there are lots and lots of articles on what you should do to authenticate users with a password and how you should be storing password hashes.

I just wanted to vent my geek rage and link a few key articles for anyone that reads this to read and ponder, most of them by Jeff Atwood, who seems to have a hot button for this issue.

More from Mr. Atwood on the matter:

(Image copyright Marvel)


  1. When signing up for a new site I usually use a throw away password that I don't intend to use in the long run. Sign in, do whatever, then try to reset my password to see if they send me my password in plaintext. If they do, meh, it's not a real password. If they don't I change it to something more secure. That's no guarantee they aren't storing it in plaintext, but it's at least a hint.

    1. That's a good idea. I tend to use the same throwaway password on every site I don't really care about As long as that site doesn't have the ability to buy anything, if that's the case I'd use a completely unique password.


This form allows some basic HTML. It will only create links if you wrap the URL in an anchor tag (Sorry, it's the Blogger default)