FYI digiKey just emailed me my password in plain text.

[Myron]

Don't use standard passwords.  Its not a deal breaker.

[Kyle Smith]

That qualifies as a deal breaker in my book! Maybe if enough people spoke out against the practice, digiKey would implement secure password reset procedures. If they can't secure your account password, do you really expect that they do much better securing your financial data. I say write them a letter that soberly explains why you cannot trust them with your business. If everyone did so, their security policy might improve. But don't hold your breath for them to change just for you. Just state your case and then find a supplier who actually has a security policy. And, as an aside, you should never have anything like a standard password. The use of a standard password on the Internet, puts all your accounts at risk. Be safe, the Internet is a dangerous place, even if you use best practices.

Best wishes,

--
Kyle Smith (AG2F)
air...@me.com

[Myron Reiss]

I do try to keep these things in perspective. I am not too keen on the restaurant process, when the waiter takes my credit card to the back room. Everybody does it and I would look like the A-hole if I insisted on paying with a card and didn't allow it out of my line of sight.

[Kyle Smith]

Myron,

I am sorry if I seemed to lecture.  When it comes to Internet security, I am a self professed evangelist, attempting to warn, what appears to me as a complacent public.  I have been writing software since my father taught me how to type on a keypunch machine.  I hold a masters degree in computer science from the Univ. of Calif., Santa Cruz, having studied machine learning and scientific visualization. I consider myself a retired computer scientist, even though I actually retired as an MD.  Thus, I felt that I understood the risks of operating on the Internet.  That is until I was hacked into the Stone Age by persons I will likely never know.  The intrusion lasted the more part of a year, and thus I had plenty of time to school myself on the methods used by malicious hackers, and computer forensic techniques.  And this self learning was forced upon me, since, if you should ever be so unlucky, you would quickly find out that law enforcement (and here I speak of everyone from the local sheriff up to the FBI), has absolutely no roll in private residential computer intrusions.  The FBI said to protect myself as best I could.  So I devoured every piece of information I could get without the aid of a safe Internet connection. In short, it was a rude awakening to find out just how ignorant I was regarding security policy and techniques.

Therefore, I speak up when ever I hear of bad or no security policy to anyone who will listen.  The sad truth is that the public is not nearly as attentive to even the most basic of security methods and policy, and that leaves them as sitting ducks who will, sooner or latter, be the victim of an attack, yet they may never even know their system has been compromised.

I only wish you well, and do not mean to embarrass you, so please forgive me for my zeal when it comes to security.  

Best wishes,

--

Kyle Smith (AG2F)

air...@me.com

[Kindanyume]

Sorry guys.. but both are right. Ultimately I agree w/Myron that we
all need to do what we can for security. Digikey in this case needs
to get their head out of their asses though IMO.. since there really
is no excuse for something that dumb now. So I emailed em about it
and I'm sure others will as well.

That said.. there are limits to what is realistic for security as
well. We can't go around using a 2048bit password for every sight
that is on an auto rotating system etc etc. But use of LastPass for
example with one very good master password is an excellent way to get
far better security while making it real world manageable. IMO at
least. (And give whom is in this group I doubt I'm alone lol)

:)

[Steve Gibson]

FWIW...

It's not a deal breaker for me either.

I don't use the same password anywhere else (I have no idea what it is since LastPass worries about that for me), and so far as I can tell, there's no notion of an "account" with them where they are deliberately retaining my credit card info in between transactions.  They do have a long history of all my past purchases, but I would freely publish that publicly.  I'm not happy about that news, but they still have my business.

/Steve.

[Steve Gibson]

[Kyle Smith]

Steve,

If you can tolerate sloppy security, then I haven't a prayer to convince anyone else. Many folks have your attitude, which amounts to complacency in matters of security, based on an estimate of the persons loss exposure, should the site be compromised. I'm not going to try and convince you that your estimate is lower than it actually is. There isn't any use in trying to convert the masses of citizens, that our collective security is jeopardized when we passively accept incorrect security practices with those to whom we do business, when public icons of personal security, which you have become, actively condone the behavior.

I have little hope for any country who's citizens will accept even the worst security practices, simply because they do not perceive a personal loss exposure. I get this attitude from MD's as well, because they don't see a personal downside to dealing with hospital information systems that have truly no functional security policy. Their view is that it's the hospital's database, and if the hospital won't take adequate security measures, it will be the hospital's problem, and there will be no personal impact on their own business.

I assure you that if the citizenry will stand by and tolerate this attitude, the Federal government will institute laws and policy, in the name of national security, that will reach out to everyone, and make them part of a particularly personal liability based on notions of collective liability, that will slowly entangle us all in very hard handed government based security, that we may never be able to throw off. Ultimately the citizens will get what they allow.

None-the-less, I respect your right to act in accordance to your beliefs. I anticipate the worst, all the while I pray that I am wrong.

Best wishes to each of you. You are now returned to your regularly scheduled programing. Ignore the old fart who wrote this letter, he's truly harmless, but doesn't hesitate to speak his mind.

--
Kyle Smith (AG2F)
air...@me.com

[Kindanyume]

Sadly I have to agree in many ways.. esp the gov intervention.
They fuck everything up.. so best we do it right w/o them 1st IMO

Oh and as you read earlier.. I understand both sides. But Steve..
really? your podcast's name alone... need I say more? (hence why
I emailed the supplier)

[Steve Gibson]

FWIW...

I'm not an absolutist.  I fight the battles I can win and I don't waste my life's precious time tilting at windmills.

I have no power to change DigiKey's infrastructure, and in truly every other way they are amazing.  We ONLY know that they haven't figured out how to do password storage and recovery correctly because of this event.  How many other sites are likely WORSE, but we don't know it, yet blithely use them without a second thought? 

So I'm not losing any sleep over this.  (I'm happy to let you guys worry for me) 

But I WILL -- because now I am duty bound -- let my own site's visitors know, where and when I recommend DigiKey, that we have discovered that they are likely storing our passwords in the clear, or at least that they are not hashing them, and that password recovery is by eMailing said password in the clear.  (Whereupon, if you're worried about that, you should change it immediately.)

/Steve.

[Kindanyume]

Fair enough Steve

though if everyone here and/or SN listeners email them,.. hopefully
they will get a clue
(though I'm not holding my breath of course)