They say passwords were stolen. This must mean they are not properly hashing passwords with salts stored outside of the database.
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.
They say passwords were stolen. This must mean they are not properly hashing passwords with salts stored outside of the database.
It could also mean that the attacker was in a position to observe the plaintext supplied by the user after it was decrypted (from SSL) but before it was authenticated (with a password hash algorithm).
Or it could be that they're just not being too particular about the details, on the side of being overly conservative.
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.