We generally think of passwords as something secret, right? But recently, I was surprised when I saw the login system of a famous organization in the UK 😳
Apparently, you log in with your email address and an "8-digit numeric PIN," but get this—you can actually view that PIN normally on the screen after logging in 💡✨
Wait, Aren't Passwords Supposed to Be Hidden? 👀
Normally, passwords are stored using a magical process called "hashing," which makes it impossible to recover the original string. So, in principle, the site operators shouldn't be able to see your password.
But here, it seems different...
- Does this mean the PIN is stored in plain text (or in a reversible state)?
- And I heard that if you forget it, they send the entire PIN in an email with a "We'll tell you your PIN" vibe—honestly, I was shocked 🥺
And the First 4 Digits of the PIN Are Your Birthdate⁉ 😮💨
What's even more puzzling is that the first 4 digits of the PIN are supposedly your "birthdate (MMYY)."
So, if someone knows your birthday, they could guess about half of your PIN...? Hmm, that's a bit scary 💭
You Can't Even Change It Yourself? 💬
Usually, you can change your password or PIN yourself after logging in, right?
But here it's different. If you think "someone might know it," you have to contact them via email to get a new PIN issued. It seems inconvenient and leaves you feeling uneasy 😓
It's Hard to Believe This Is a Major Organization 🤔
This organization is quite well-known in the UK and seems like a proper company, so they must have proper IT audits, right?
That's why I think there must be "a good reason for this unusual specification!"... but as an amateur, I don't really get it 💗
Actually, I think managing passwords and PINs is an incredibly difficult problem.
But still, showing passwords in plain sight is definitely not normal, and this story left me feeling a bit scared ✨💭
Hatena
Comments
エマ
The first 4 digits are always your birthday in MMYY format, so don't forget. 🤭
ハンナ
The camera system password was 'Louvre'—never underestimate incompetence.
リリー
Even with hashing, if there are less than 100 million unique inputs, it's pointless; with today's hardware, bcrypt can be cracked in 20-25 minutes.
グレース
A PIN isn't a password, and you should know that when it's provided. Is there email verification or something?
クリス
If they set the PIN and it's not tied to other passwords, the risk is low. Papercut can also retrieve PINs.
レオ
The gym group, that's hilarious.
ハンナ
The problem isn't storing the PIN in plain text; it's the design flaw of authenticating identity with just an email (semi-public info) and a PIN.
ノーラン
Don't worry about hashing. With 4 digits being your birthday, the actual remaining possibilities are few, and brute-forcing is easy.
サム
Are you confusing PINs with passwords?
ハンナ
Sounds like an amateur's initial system. You'd be surprised if you knew how credit card and bank info is handled too.
ベン
Is this a one-time pass or just a regular PIN?
リリー
It's almost impossible to tell from the outside. An 8-digit PIN has 100 million possibilities; they might be managing it with rainbow tables or something.
クリス
Better than plain text, but seems like a hassle. They might be using a JWT mechanism, but it's likely still stored in plain text. Companies often do the bare legal minimum cheaply.
エマ
Looks like plain text? Then try entering this:
ジョージ
X5O!P%@AP\[4\PZX54(P\^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H\*
ロバート
Nobody wants to admit it, but I think this kind of thing is more common than we'd like to believe.
