Results 26 to 50 of 57

  1. Post
    #26
    suntoucher wrote:
    That was true in 2005. Not so much these days, and Google released a collision method in 2017. I was using SHA-256 but just switched to Argon2. May as well do it now then get caught out in a decade when technology is beyond our wildest dreams of today.
    Magento is using AES-256 / SHA-256 atm.

    Please read - https://docs.magento.com/m1/ee/user_...n-hashing.html

  2. Post
    #27
    Privoxy wrote:
    You did a terrible job, your code is shoddy, your design is crap, and why have you only used SHA1? Is this 2016?
    hey I'm just wandering what makes what we did a terrible job and our code is shoddy? The website is sitting on the world's top ecommerce platform with our in-house design / coded with full bootstrap 4 / w3c standards. All PHP code are written to its best maintainable / performance standards. I was wrongly mentioned as SHA1. It's using SHA-256.

    Have you had a look at the rendered HTML / JavaScript code? I'd like to know your level of skills in programming (since we have been programming since 1999 and working with bunch of tech companies around the world) .

  3. Post
    #28
    magebinary wrote:
    hey I'm just wandering what makes what we did a terrible job and our code is shoddy? The website is sitting on the world's top ecommerce platform with our in-house design / coded with full bootstrap 4 / w3c standards. All PHP code are written to its best maintainable / performance standards. I was wrongly mentioned as SHA1. It's using SHA-256.

    Have you had a look at the rendered HTML / JavaScript code? I'd like to know your level of skills in programming (since we have been programming since 1999 and working with bunch of tech companies around the world) .
    I write the code that runs the banks of Nz.

  4. Post
    #29
    Privoxy wrote:
    I write the code that runs the banks of Nz.
    so? I have seen people work in FBI and leaves open access to the API. NZ Banking system is probably the world's worth since the transactions from bank A to bank B takes 2 - 24 hours. I'm sure there are lots of ETL crons are running / checking etc. whereas, leading bank systems are already blockchained / kafka based.

    You haven't even look at the code probably started judging. Please have a look at the Magento's code base. It's a proper MVC / EAV abstracted code. The site is probably the best stack till the date. Docker containers (zfs / illumos os based) / redis / latest php / full front-end suites (proper compiler for sass / js) / bootstrap 4 ( sass) / magento with the cleanest code possible.
    Last edited by magebinary; 24th March 2019 at 11:17 pm.

  5. Post
    #30
    Privoxy wrote:
    I write the code that runs the banks of Nz.
    Lol that doesn't say a lot, actually the opposite from what you are trying to imply.
    However Magento is one of the cancers of this world.

  6. Post
    #31
    well that was a long time to wait for a reply. If you were using AES back then, the password wouldn't have been retrievable. So it's only been changed recently.

  7. Post
    #32
    eXDee wrote:
    Why does playtech store their passwords as plain text?

    Clicked forgot my password expecting a password reset link, they just emailed me my password in plain text. Which means they are storing them in the database in plain text - or use a reversible hashing algorithm which is equally as insecure.

    I thought any decent company would have better security than this... :mad:

    Glad they use DPS for credit card payments otherwise i'd never put my card details into their site.

    /rant
    Was the email at least on smtp-tls?

  8. Post
    #33
    Privoxy wrote:
    I write the code that runs the banks of Nz.
    I thought you were a consultant now? Consultants don't do code!

  9. Post
    #34
    Nerd fight! Nerd fight!

  10. Post
    #35
    Bobs wrote:
    Nerd fight! Nerd fight!
    sit down with the other children dear.

  11. Post
    #36
    Bobs wrote:
    Nerd fight! Nerd fight!
    LMAO! No fight tonight. di di di ding ding ding..... Shakira Shakira.

    - - - Updated - - -

    MysticNZ wrote:
    well that was a long time to wait for a reply. If you were using AES back then, the password wouldn't have been retrievable. So it's only been changed recently.
    Hey we started working with the client since 2017 so yea.

  12. Post
    #37
    I once called an ISP to reset my password and they just read out my password to me over the phone. Was not happy.

  13. Post
    #38
    teelo7 wrote:
    I once called an ISP to reset my password and they just read out my password to me over the phone. Was not happy.
    Used to work for a security firm where myself or literally anybody else working there could open a program (with no login or password requirement, literally double click the app and bang), type in somebodies email address, reveal their password and use it for whatever malicious intent they'd like. It was a minimum wage job, and we had some fairly questionable people employed there. One guy nearly went to jail (or he even might have, I can't recall) on a firearms offence resulting in an AOS callout. Anyway, one hell of a lot of people were using generic passwords too. The only requirement for a password was that it was 4 characters. Better yet, I don't know the exact details of their security on those terminals, but I know it was piss poor. I recall being able to log into any terminal I liked from home using TeamViewer. Free versions of TeamViewer too, not even a company license.

    I informed the general manager of the company of the massive security risk that all of that posed and his response was something along the lines of 'we've got bigger fish to fry but I'll take note of it'. 3 years later when I eventually quit that shitshow, it was still completely unchanged.

    Now to wrap this all up in a tidy bow, this is the largest security monitoring station in New Zealand. How's that for absolutely incompetant.

  14. Post
    #39
    magebinary wrote:
    Hi guys,

    Playtech doesn't store the password as paint text. Everything is SHA-256 encrypted

    Don't think ask me how do I know this since our company developed it on Magento - the best eCommerce platform on earth.
    1: Why did you nerco a thread from 2012 in 2019?

    2: https://github.com/OWASP/CheatSheetS...Cheat_Sheet.md

    Best practice is a one way irreversible a function/transform... not reversible encryption you shouldn't be able to send the user their password in an email because you don't know what it is.

  15. Post
    #40
    magebinary wrote:
    Hi guys,

    Playtech doesn't store the password as paint text. Everything is SHA-256 encrypted

    Don't think ask me how do I know this since our company developed it on Magento - the best eCommerce platform on earth.
    Comes to the forum specifically to pimp their eCommerce platform, too eNaive to recognise the thread they're responding to is 7 years old.

    I'm sure your software is great though matey...

  16. Post
    #41
    magebinary wrote:
    Hey we started working with the client since 2017 so yea.
    Then why did you claim that you built their last site?

  17. Post
    #42
    teelo7 wrote:
    Pretty sure that checks out - they got a new store in 2017 and again recently, ie they've done the last two including this one.

  18. Post
    #43
    Our IT dept drives to work in a bunch of Nissan leafs.

  19. Post
    #44
    Privoxy wrote:
    I write the code that runs the banks of Nz.
    But you could never write anything like the pbtech website xD

    Ragnor wrote:
    https://github.com/OWASP/CheatSheetS...Cheat_Sheet.md

    Best practice is a one way irreversible a function/transform... not reversible encryption you shouldn't be able to send the user their password in an email because you don't know what it is.
    This.

  20. Post
    #45
    Stasis wrote:
    But you could never write anything like the pbtech website xD


    This.
    Ooh, a JRE client app would be one way to make a website worse. Playtech 2021?

    I can't believe that client apps still are things that exist.

  21. Post
    #46
    suntoucher wrote:
    Ooh, a JRE client app would be one way to make a website worse. Playtech 2021?

    I can't believe that client apps still are things that exist.
    They don't really in the real world, only in Schools and when you get your friends kid to build you something because he's really "into computers".

    Java belongs on the server doing the heavy lifting.

  22. Post
    #47
    Privoxy wrote:
    They don't really in the real world, only in Schools and when you get your friends kid to build you something because he's really "into computers".

    Java belongs on the server doing the heavy lifting.
    They definitely do. My father trades using HKBEA Securities which is a Java client app. And they released a new version recently and redid their website so they had a chance to be rid of it.

    I know this because he came along on my recent trip overseas and didn't bring his laptop but still wanted to trade. So now I have this horrible monstrosity installed on my machine. Also it apparently doesn't play nice with Firefox.

    JRE client apps exist in all of the niches of companies that don't believe in your philosophy, and thus wouldn't be companies you deal with so you'll never see it.

    I bet there's still companies out there using Pentium 4s but they're not companies I work with thus I have not seen one in recent times and could conclude no one uses Pentium 4s anymore.

  23. Post
    #48
    thick client apps are used everywhere, i've seen Delphi and JADE in the last 2 weeks alone. would much prefer java to those.

  24. Post
    #49
    Oh, also I was shocked how behind the rest of the world is when it comes to web dev. It's really only big tech companies that have nice websites across the rest of the world. Even tech forward places like Japan, Hong Kong, Singapore, the US etc.

    So I wouldn't be surprised if other countries still extensively use Java client apps.

    Jump on google.com.hk and do a few random searches and click through, NZ is surprisingly forward.

  25. Post
    #50
    suntoucher wrote:
    Oh, also I was shocked how behind the rest of the world is when it comes to web dev. It's really only big tech companies that have nice websites across the rest of the world. Even tech forward places like Japan, Hong Kong, Singapore, the US etc.

    So I wouldn't be surprised if other countries still extensively use Java client apps.

    Jump on google.com.hk and do a few random searches and click through, NZ is surprisingly forward.
    Yup, a lot of Korean sites in particular are so bad that they make it in to Edge's blacklist aka. "compatability list". Take, for example. the HSBC website in Korea.

    edit: and then there's this. Yeah...
    Last edited by BURN_BABY; 5th April 2019 at 5:00 pm.