Comment This happens all the time (Score 4, Insightful) 305
I work for UC Santa Barbara, and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.
Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.
Now, when users log in, an MD5 hash is compared against the hashed password in the database.
Many of the people were Hotmail users. Just think when your .NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...
Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.
Now, when users log in, an MD5 hash is compared against the hashed password in the database.
Many of the people were Hotmail users. Just think when your
