It never ceases to amaze me the ignorance and nonchalance concerning security in the development community. To this day, event the simplest of precautions aren't implemented. Why? It's nearly 2009, there's no excuse, and it's infuriating.
A couple of years ago I noticed MySpace.com wasn't encrypting their log-ins. I wrote tech support and posted a warning in the forums. The response I got were things like, "You see those asterisks in the password field? That means the password is encrypted." They have no idea how insulting this is. The fact is, they were never encrypting the log-in, or account edit pages. All of that information was being sent over the wire in plain-text; A feeding frenzy for hackers.
If would be funny if it wasn't so serious. MySpace is continually dumbfounded as to why their members pages are getting hijacked and defaced. (Especially high-profile artists.) MySpace as been such a cesspool that the FBI has had to step in to clean up the child porn and pedophiles.
A single $50/year SSL cert would close it but that's too much a price to pay I guess. I will never use MyCesspool.com. I don't need the FBI crashing through my door at 4:00AM because some hacker sold my credentials to a pedophile. Nope.
Then you look at a place like GoDaddy.com. You'd think they understand security... that they care. But no. They refuse to implement a secure FTP authorization. If you are using FTP with GoDaddy your password has probably already been sniffed and is sitting in some hacker's db right now.
Do you know how easy it is to setup a Snort box and sniff this stuff? You can setup with more than one ethernet card and sniff without leaving any trace of your node. No IP address to track you... nothing. No one knows you're sitting there and no one knows what you got, or when you got it. It usually takes about 15 hops to get to godaddy.com from here. That's a LOT of space for a Snort box to be inserted. Any place along that path... and the return path is through a different route so basically multiply that hop count by 2.
GoDaddy.com has a tremendous problem with accounts being hijacked and customer's websites getting defaced. They're continually dumbfounded as to why. They're trying to fix that issue by putting a ludicrous lockout feature. If you miss your log-in even ONCE you're locked out for 10 MINUTES! It would be hilarious if it wasn't so serious. This new feature isn't going to help because the passwords aren't being brute-forced they're being sniffed!
You see, many, many people use the same password for FTP access that they do for their GoDaddy account and GoDaddy stores your credit card information there. (This is why companies are now mandated by the credit-card agencies to put asterisks when displaying the card number even in your encrypted account page. Because encryption doesn't do anything if they simply log-in with stolen credentials.)
Even more serious is that many, many people use the same password for everything. They use the same GoDaddy.com and MyCesspool.com password for their bank account and PayPal accounts. This is where it gets really ugly [as you can imagine] and this has become an enormous problem. They don't like to release the statistics but this is the largest problem the FBI is facing now and it comes as no surprise why.
Then I come to DNN. I think, heck, these guys are hardcore MS-VIPs who create frameworks for other developers. They pride themselves on adhering to industry best-practices. But here we go again. Not 15 seconds after registering they break best-practice and share my password with every hacker between us!
Why, oh why, do you even bother encrypting the member registration form when you are going to turn right around and send my log-in credentials back to me in a plain-text e-mail? This makes absolutely no sense. I just entered my password into your registration form TWICE not 15 seconds ago and you are sending it back to me for "future reference"? We don't need that! That's what a "forgot password" feature is for.
Have you noticed that best-practice "forgot password" features don't send the password in a plain-text e-mail? Guess why... actually, you don't have to guess because I just spent the last hour laying it out for you, and now I have to spend even more time going around to all the websites that I use that password for and change them because you couldn't keep our secret a secret.
Sending passwords over e-mail for "future reference" is unnecessary and it's a huge security hole. This is one reason we're having such a hard time with identity theft, fraud, website defacement, etc. etc. Because the developers who write code for other developers can't even get the simple stuff right.
Everyone who uses sites like this. [MyCesspool.com, GoDaddy.com, DotNetNuke.com, etc.] Need to take a moment, go to all the sites they use that password in, and change them. If you use the same password for PayPal.com, your bank account, or any other critical site you need to seriously follow this advise and NEVER use your PayPal or bank account password in sites like this. Make a separate one.
The bottom-line is... don't trust that these people are watching out for your security. Chances are they really don't understand security or they just don't care. I doubt I'll use DNN, but If I do, you can be sure I'm going to inspect every line of code to make sure it's secure.
Uhhggg... Now off to change my password in the other sites, as it has probably been compromised.