Show Gallery Password in Gallery Settings

Packhorse-4Packhorse-4 Registered Users Posts: 65 Big grins
edited October 12, 2015 in SmugMug Support
Good Morning - I am looking through some of my galleries to check out the new SmugMug design from a customer viewpoint. Overall, the new design is looking really good - Thanks!

I have several password protected galleries for customers and I let them choose the password - I would type in the password they selected when setting up the gallery. Previously, when I went into the Gallery Settings, I could scroll down to the password section and view the password. This was handy when I needed to view the site as the customers do, or if someone contacted me because they couldn't recall their password. All I see now is a line of asterisk (**********).

Is there any way to reveal the password? I could change the password, but if I am only trying to view the page as my customers do, I don't want to change their password.

-- John

Comments

  • brandofamilybrandofamily Registered Users Posts: 2,013 Major grins
    edited August 1, 2013
    So you're saying your passwords were preserved in the migration, but you just cannot see them in the gallery setting?
    I ask because I read another post that made it sound like they were all lost...
  • Packhorse-4Packhorse-4 Registered Users Posts: 65 Big grins
    edited August 1, 2013
    So you're saying your passwords were preserved in the migration, but you just cannot see them in the gallery setting?
    I ask because I read another post that made it sound like they were all lost...

    Correct - The passwords are all in place, but I just can't read them any longer. The ones I remember continue to work, but for the ones I can't recall - All I see is a row of *********.

    -- John

  • brandofamilybrandofamily Registered Users Posts: 2,013 Major grins
    edited August 1, 2013
    Correct - The passwords are all in place, but I just can't read them any longer. The ones I remember continue to work, but for the ones I can't recall - All I see is a row of *********.

    Have you gone live on NEW SM?
    The other user said they went bye bye as soon as they went live... all their passworded galleries were open for all to see...
  • den123den123 Registered Users Posts: 28 Big grins
    edited August 2, 2013
    Same problem is here. I migrated to new SM design. Now I can't read passwords. Passwords are correct and usual user have no problem to enter in gallery. But I can't see password values :( How to solve it???? I don't remeber all passwords :((((
  • Packhorse-4Packhorse-4 Registered Users Posts: 65 Big grins
    edited August 2, 2013
    Have you gone live on NEW SM?
    The other user said they went bye bye as soon as they went live... all their passworded galleries were open for all to see...

    Yes - I went live on the NEW SM the day after the press release. The gallery passwords are not missing - they are still in place and working as expected. The only issue it that I can't read them.

    -- John

  • Packhorse-4Packhorse-4 Registered Users Posts: 65 Big grins
    edited August 2, 2013
    FYI: I did hear back from a SmugMug Support Hero - this is what they told me:

    I'm sorry, it is no longer possible for you, or us, to see passwords once you save the gallery. If you or the client have forgotten the password, you will simply need to create a new one. We did this for security, I'm sorry for the inconvenience.

    headscratch.gif I'm all for security, but the only way to see the Gallery Passwords is when you are already logged in to the main SmugMug account. At that point you don't need a Gallery Password because you already have full access to view, edit, delete, etc. all of the photos in the account - Password protected or not.

    I guess I'll need to start a spreadsheet with all of my SmugMug Gallery Passwords in case I need to view a gallery as my clients do or remind them of the password if they forget. At a minimum, I will need to find some way to store the passwords with my client information now that I can no longer see it in the Gallery Settings section.

    -- John

  • Adam73Adam73 Registered Users Posts: 6 Beginner grinner
    edited May 19, 2015
    For security? If I'm admin on my site, I should be able to see the passwords I create. I give my clients a password and sometimes their entire families. One person loses the password and I can't help them because if I change it for the one client, all the clients need to know the new password.

    -Adam
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited May 20, 2015
    For those coming from the old SmugMug, all your existing gallery passwords will continue to work on the New SmugMug. Due to the secure way gallery / folder passwords are kept on the New SmugMug, you won't be able to view a password in plaintext again. Once you enter a password on a folder, gallery or anywhere else on SmugMug, the password is kept in a way that not even we could look it up anymore. If you can't recall a password and don't have it written down anywhere (perhaps in your emails as part of an email to a client), you could only set a new password.
    Sebastian
    SmugMug Support Hero
  • AllenAllen Registered Users Posts: 10,007 Major grins
    edited May 20, 2015
    There should be warning for anyone transitioning to NewSmug to view all their passwords and write
    them down while still in Legacy. Perhaps a page redirect with this warning in the process.
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • JETAJETA Registered Users Posts: 90 Big grins
    edited September 23, 2015
    Whoa! This is a horrendous feature! Yet again I'm forced to change my website and now have to deal with this!

    Please fix! I need to be able to see these passwords and it would have been nice to know I can't see them before I went over to the new site!

    Good grief!
    JETA
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited September 23, 2015
    JETA wrote: »
    Whoa! This is a horrendous feature! Yet again I'm forced to change my website and now have to deal with this!

    Please fix! I need to be able to see these passwords and it would have been nice to know I can't see them before I went over to the new site!

    Good grief!

    Hi JETA,
    We have your passwords safely tucked away for you. It you'd like to have them sent to you, please send a message to our Support Heroes. Storing plain text passwords is a really bad way to keep your photos safe. You only need to read the headlines to know how big of an issue photo security is. This change is one of the many ways that New SmugMug keeps your photos safe.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • tlphotostlphotos Registered Users Posts: 63 Big grins
    edited October 5, 2015
    I'm in new smugmug and I have the same issue when I create a new gallery. I enter a password, and when I go back later, all I see are asterix. How can I make it so that I can view the password in the gallery security tab?
  • tlphotostlphotos Registered Users Posts: 63 Big grins
    edited October 5, 2015
    I am in new smugmug and have the same issue with newly created galleries. What can undo so I can see the password in galleries I create today?
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited October 5, 2015
    tlphotos wrote: »
    I'm in new smugmug and I have the same issue when I create a new gallery. I enter a password, and when I go back later, all I see are asterix. How can I make it so that I can view the password in the gallery security tab?

    For security reasons we do not transmit your gallery passwords through the internet as plaintext. You only need to look at the news headlines to see why photo password security is important and we take your photo security seriously.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • tlphotostlphotos Registered Users Posts: 63 Big grins
    edited October 5, 2015
    I certainly appreciate security. I would like to,propose, however, that there be a way for administrators to see their settings and password when in gallery set up, even have it be an option where users take the risk. Keeping a log of the many passwords I have for each customer's personalized gallery is cumbersome. I want to take the risk, and I'd own it, to be able to see the password when I am in my gallery settings
  • JenuineJenuine Registered Users Posts: 155 SmugMug Employee
    edited October 6, 2015
    Hello,

    I am not sure you fully understand all the attack vectors we are protecting against with the removal of password visibility, so let me clarify for a few points.

    Let's talk about assuming the liability for the Owner's account as if that is the only potential vulnerability. That's not the primary attack we are protecting against with this case. If you can log into an account, you can already access those galleries. That's not the concern here. Instead, imagine said hackers managed to compromise our Galleries tables in our database. They don't have access to accounts, but they have the data we have stored regarding the galleries for all users. If we stored the gallery passwords in plaintext in that table, they now have access to _every_ "secured" gallery on our site, even though they have not managed to compromise a single customer's account. In order for us to reveal passwords to owners, that data would be inherently insecure and thus the hackers who got the gallery data would then have them all.

    Thankfully no such breach has ever happened, and our Ops and Engineering teams are extremely talented. But this is the exact sort of precautions that help us make sure that no such breach ever does happen, or that if a breach ever does that the damage is minimal. That sort of breach is the type you hear in the news from sites like Ashley Madison, Target and Home Depot. Those sites weren't compromised because a single customer's account was breached. They were compromised at a much higher level, and entire data sets were stolen. In Target and Home Depot's cases, it was primarily personal data like credit card numbers (which we also protect, unlike those two much larger companies). In Ashley Madison's case it was other user data like messages and contacts that they thought was secure. We protect secured galleries to make sure that anyone who got into that data couldn't then expose all protected galleries on SmugMug, and then we also take every modern precaution to make sure that nobody could actually get into that data. This is about modern, best practices for security. Plaintext password storage is a huge vulnerability.

    As to the point about being worried that someone will gain access to a Customer's Account through the galleries, that's simply not the point I have been making. Nobody is gaining access to an account through an unsecured gallery password. As mentioned above, this is protecting against every vector instead of just the obvious one through the Customer's Account.

    If a customer account is compromised, they gain access to that customer's galleries. If the gallery data is compromised from a different vector, they would gain access to EVERY customer's galleries if we didn't hash the passwords properly.

    That's why entire sites exist to shame services that use plaintext password storage:
    http://plaintextoffenders.com/
    They have examples of exactly what I am talking about, large scale data leaks, on their About page:
    http://plaintextoffenders.com/about/

    That's the primary question at the core of this security measure. If SmugMug had a compromise of gallery data, which thankfully we have been able to prevent for over 13 years, would you want someone to be able to read every password to every gallery and publish those online for everyone to see? I can't answer for you obviously, but I can answer for the vast majority of our customers that we have talked to. The answer is overwhelmingly that they expect us to secure their password protected galleries to the absolute best security standards. That is why we made this change.

    You might disagree with those security measures, but these are absolutely the recommendations of *every single top security expert*.
    https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
    https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
    http://php.net/manual/en/faq.passwords.php
    http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374

    I can go on, but you get the point. I don't know of a single security expert or publication who recommends against hashing + salting passwords. If you expect to secure data, you have to stay on top of modern standards.

    Unfortunately, in this case, this solution is simply non-negotiable. I wish we could accommodate your specific use case, but I we cannot overrule our top security experts to implement what is widely considered as bad practices. I hope you understand.
    Jen
    SmugMug Support Hero
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited October 7, 2015
    One option for managing passwords, so you don't have to remember them, is to use Password Vault's programs like "1Password". Basically you create 1 master, super secure password, and it then stores all your passwords in there. I have a special "Vault" for my SmugMug gallery passwords. It remembers the password, but even more awesome, is that it remembers where that password came from (which website URL). So if I ever come back to the gallery, it knows which password to pull up, and can even fill it out for me!
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • tlphotostlphotos Registered Users Posts: 63 Big grins
    edited October 8, 2015
    thanks for the updates and information! Dealing with password is just an annoying part of todays world I guess. Smugmug is awesome and I continue to use Smugmug because you guys are awesome! Keep up the good work!
  • RealitytouristRealitytourist Registered Users Posts: 12 Big grins
    edited October 8, 2015
    Wish I'd checked this thread before I hit publish. So the number of asterisks has nothing to do with the actual password length? I ask because I saw ten asterisks. I couldn't remember the password (it's to a personal, family gallery), so I changed it to a short, four-letter password for now. I was able to log in (I use an incognito window for public viewing), but when I checked again in the settings, it still shows a ten-asterisk password. But my short password still works.
    Mike
  • Cygnus StudiosCygnus Studios Registered Users Posts: 2,294 Major grins
    edited October 9, 2015
    Wish I'd checked this thread before I hit publish.

    This is one of the main "gotchas" with switching over. I switched the day after the new smug was offered and I also didn't realize that I would lose my passwords, all 238 of them.

    Being how this was "all about me" I was quite unhappy at having to go through the process of changing them and notifying clients about the change.

    As leftquark has explained, it isn't about us individually, it's about protecting the entire system which makes sense once it is explained. However smugmug didn't do the best job of providing that information before we were gotten by the change.

    Today I have a system for backing up passwords, but I understand the pain of learning the hard way.
    Steve

    Website
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited October 12, 2015
    This is one of the main "gotchas" with switching over. I switched the day after the new smug was offered and I also didn't realize that I would lose my passwords, all 238 of them.

    Being how this was "all about me" I was quite unhappy at having to go through the process of changing them and notifying clients about the change.

    As leftquark has explained, it isn't about us individually, it's about protecting the entire system which makes sense once it is explained. However smugmug didn't do the best job of providing that information before we were gotten by the change.

    Today I have a system for backing up passwords, but I understand the pain of learning the hard way.

    Thank you for being so understanding Steve. I completely agree that we could have done a better job, and it's certainly one of the reasons why I made sure we included it in our New SmugMug Help Center (which went live recently ... I realize it would have been nice had this existed back when you first launched) and also built new tools to recover passwords.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • Cygnus StudiosCygnus Studios Registered Users Posts: 2,294 Major grins
    edited October 12, 2015
    leftquark wrote: »
    Thank you for being so understanding Steve. I completely agree that we could have done a better job, and it's certainly one of the reasons why I made sure we included it in our New SmugMug Help Center (which went live recently ... I realize it would have been nice had this existed back when you first launched) and also built new tools to recover passwords.

    Once I got over the "It's all about me", I thought about all the times that I messed up and Smugmug saved me (and still does), so I figured that I owed them at least one little mess up. :D
    Steve

    Website
Sign In or Register to comment.