Home > General > Affiliate Marketing Forum

Do networks not encrypt passwords? (5)

04-12-2014 03:42 PM #1 jordsmi (Member)
Do networks not encrypt passwords?

I've had two networks send me my password via email, in plaintext, in the past week. One of them was when I did a password reset which is pretty scary to me as this means that the password must be stored in the database in plaintext(They didn't reset my password they just sent me my old password instantly). The other was telling me I was accepted, but the email was a week+ after I signed up, which also means the password had to be saved somewhere in plaintext.


It scares me that a business who is working with this much money isn't securing their users information. Encrypting passwords is like web dev 101 and is very easy to do, so I'm not sure why they wouldn't be doing it.

04-12-2014 03:53 PM #2 swissfactor (Member)

A lot of companies do not encrypt/hash the passwords. Even a md5 hash is considered bad nowadays. What can you do? Nothing, just use different passwords, which you should do anyway =).

Btw. what shockes me more is that namecheap took about 3 - 4 days to fix the heartbleed but a german website for recipes (cooking) fixed it instantly.

04-12-2014 04:50 PM #3 bbrock32 (Administrator)

Unfortunately CAKE doesn't encrypt them, I know that from personal experience.

I hope they won't wait for someone to hack them before using salted hashes.

Anyway you have to do your part, use a different password for each site.

I use lastpass to generate random passwords for each site and change the main pass for lastpass quite often just to be extra sure.

04-12-2014 05:24 PM #4 davidwikes81 (Member)

Quote Originally Posted by jordsmi View Post
I've had two networks send me my password via email, in plaintext, in the past week. One of them was when I did a password reset which is pretty scary to me as this means that the password must be stored in the database in plaintext(They didn't reset my password they just sent me my old password instantly). The other was telling me I was accepted, but the email was a week+ after I signed up, which also means the password had to be saved somewhere in plaintext.


It scares me that a business who is working with this much money isn't securing their users information. Encrypting passwords is like web dev 101 and is very easy to do, so I'm not sure why they wouldn't be doing it.
Only platform which i remeber is HitPath which does that.

Cake and Hasoffer both encrypts them. When resetting password, they ( cake and hasoffer ) sends you generated password in email. You are supposed to login using them and change this password after first login. If you are not doing this, its a security risk. Cake and Hasoffer both are fully secure affiliate tracking platform.

For HitPath network, you can't change reset password on some networks. This again is security risk

04-12-2014 05:27 PM #5 davidwikes81 (Member)

Quote Originally Posted by swissfactor View Post
A lot of companies do not encrypt/hash the passwords. Even a md5 hash is considered bad nowadays. What can you do? Nothing, just use different passwords, which you should do anyway =).

Btw. what shockes me more is that namecheap took about 3 - 4 days to fix the heartbleed but a german website for recipes (cooking) fixed it instantly.
Salted md5 hashes are still secure. Always taking action first is not wise move. Namecheap infrastructure is bigger then recipe website. It takes time to rollout update and test them.

Home > General > Affiliate Marketing Forum