So I was invited to write on this blog-space and of course I first had to create an account. Not a big deal but I did notice a couple of interesting things while signing up.
First of all I have two alias’ I usually use on the Internet. When trying to register my account I was told that the login name was already taken, like most sites I had the option of resetting the account. Now I’m pretty sure I’ve never registered an account on WordPress before but for fun I decided to see if my e-mail address was already in the system (I don’t know why it would be but I digress). On the password reset page I noticed I could reset my password by supplying either my username or e-mail address. I slapped in the old e-mail address and was told that it wasn’t in the system. Alright that’s good I hadn’t gotten drunk, registered a WP account and blogged while loaded, what a relief. Now, since my account name is pretty unique I decided to try to submit the username and see if a reset e-mail was sent to one of my older e-mail accounts. Throwing in the username and bam! This username is not registered! Hmm interesting does this mean there’s already an account or not? This must be investigated later as I really would like the original account name.
Moving on, I registered using the second alias I use and the registration process was pretty straight forward until I had to confirm my account creation through the e-mail address I provided. Imagine to my surprise when I clicked on the link to activate the account and my username and password were presented to me in plaintext on an unencrypted webpage. cringe, thankfully I don’t use generic passwords.
I’m sure this has been noticed before but I’m not a fan of this system. It means that WordPress is storing my password in cleartext on their backend system. What’s wrong with MD5′ing the password and storing the hash???? This would at least make it a bit more difficult to guess passwords if the system ws compromised, and how many people use the same username and password for every account the set up. double cringe.
