I remember hearing before that it’s a sign they are storing your info unencrypted but I never checked.
Is this true? I was logging into a .gov website and noticed it does that.
I remember hearing before that it’s a sign they are storing your info unencrypted but I never checked.
Is this true? I was logging into a .gov website and noticed it does that.
The only issue with it is that it allows attackers to determine that a given person has an account on a site. Which if the site is pornhub or similar, could be embarrassing (try sign up to pornhub with your local politicians email).
The way around this is to do something like:
“We need to verify your email is correct, by sending you a code”
This doesnt tell the attacker anything, but if there already is an account, the email itself can just say “You already have an account, here are the links to reset and login”.
Side note: encryption is reversible, hashing is not. Passwords should be stored hashed, but email only need to be encrypted (or plaintext, but less ideal). And because its reversible, they can get the original value back. They cannot reverse a hash to get the password back, so if a site ever tells you info about your password, that is a sign they might not be hashing it correctly.
Given many people use the same password.on many sites, it can allow the bad actor to “guess” their password based on data from other leaks.
Then whatever is inside that account may be accessible, such as financial info. Even protected data like cc info might show the last 4 digits, which can be used when talking to an agent to verify identity etc.