TheAntsPants
Devout Dirtbag
Scenario 1mk one":dg58dxin said:Some strange comments.
I doubt very much any passwords are stored in plain text, even if they were to then find that persons bank, their account name and number, then to hack a banks site is certainly imaginative. Banks offer customer support due to security breaches anyway.
To add another point, encrypted passwords are usually fairly easy to decrypt, so it is more about gaining access to the password file than how easy it is to read once there.
1. Assume your RB password and email, bank etc passwords are the same or similar.
2. I get your RB password.
3. Now I know your email. That alone opens up Pandora's box.
4. From your email I know your bank, contacts, etc.
5. "Oh hey honey, it's me, mk one. Bank says our account has been hacked. You need to change the password here at fake_website.com."
Scenario 2
1. Assume admin's login is http as well. Assume passwords are stored in plain text in database.
2. I get admin's password.
3. Now I have everyone's passwords, emails.
Sensitive data exposure (which includes plain text passwords) is number three in Top 10 Web Application Security Risks
https://owasp.org/www-project-top-ten/O ... a_Exposure