Show Gallery Password in Gallery Settings
Packhorse-4
Registered Users Posts: 65 Big grins
Good Morning - I am looking through some of my galleries to check out the new SmugMug design from a customer viewpoint. Overall, the new design is looking really good - Thanks!
I have several password protected galleries for customers and I let them choose the password - I would type in the password they selected when setting up the gallery. Previously, when I went into the Gallery Settings, I could scroll down to the password section and view the password. This was handy when I needed to view the site as the customers do, or if someone contacted me because they couldn't recall their password. All I see now is a line of asterisk (**********).
Is there any way to reveal the password? I could change the password, but if I am only trying to view the page as my customers do, I don't want to change their password.
I have several password protected galleries for customers and I let them choose the password - I would type in the password they selected when setting up the gallery. Previously, when I went into the Gallery Settings, I could scroll down to the password section and view the password. This was handy when I needed to view the site as the customers do, or if someone contacted me because they couldn't recall their password. All I see now is a line of asterisk (**********).
Is there any way to reveal the password? I could change the password, but if I am only trying to view the page as my customers do, I don't want to change their password.
-- John
0
Comments
I ask because I read another post that made it sound like they were all lost...
Correct - The passwords are all in place, but I just can't read them any longer. The ones I remember continue to work, but for the ones I can't recall - All I see is a row of *********.
-- John
Have you gone live on NEW SM?
The other user said they went bye bye as soon as they went live... all their passworded galleries were open for all to see...
http://den123.smugmug.com
Yes - I went live on the NEW SM the day after the press release. The gallery passwords are not missing - they are still in place and working as expected. The only issue it that I can't read them.
-- John
I'm sorry, it is no longer possible for you, or us, to see passwords once you save the gallery. If you or the client have forgotten the password, you will simply need to create a new one. We did this for security, I'm sorry for the inconvenience.
I'm all for security, but the only way to see the Gallery Passwords is when you are already logged in to the main SmugMug account. At that point you don't need a Gallery Password because you already have full access to view, edit, delete, etc. all of the photos in the account - Password protected or not.
I guess I'll need to start a spreadsheet with all of my SmugMug Gallery Passwords in case I need to view a gallery as my clients do or remind them of the password if they forget. At a minimum, I will need to find some way to store the passwords with my client information now that I can no longer see it in the Gallery Settings section.
-- John
-Adam
SmugMug Support Hero
them down while still in Legacy. Perhaps a page redirect with this warning in the process.
My Website index | My Blog
Please fix! I need to be able to see these passwords and it would have been nice to know I can't see them before I went over to the new site!
Good grief!
Hi JETA,
We have your passwords safely tucked away for you. It you'd like to have them sent to you, please send a message to our Support Heroes. Storing plain text passwords is a really bad way to keep your photos safe. You only need to read the headlines to know how big of an issue photo security is. This change is one of the many ways that New SmugMug keeps your photos safe.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
For security reasons we do not transmit your gallery passwords through the internet as plaintext. You only need to look at the news headlines to see why photo password security is important and we take your photo security seriously.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
I am not sure you fully understand all the attack vectors we are protecting against with the removal of password visibility, so let me clarify for a few points.
Let's talk about assuming the liability for the Owner's account as if that is the only potential vulnerability. That's not the primary attack we are protecting against with this case. If you can log into an account, you can already access those galleries. That's not the concern here. Instead, imagine said hackers managed to compromise our Galleries tables in our database. They don't have access to accounts, but they have the data we have stored regarding the galleries for all users. If we stored the gallery passwords in plaintext in that table, they now have access to _every_ "secured" gallery on our site, even though they have not managed to compromise a single customer's account. In order for us to reveal passwords to owners, that data would be inherently insecure and thus the hackers who got the gallery data would then have them all.
Thankfully no such breach has ever happened, and our Ops and Engineering teams are extremely talented. But this is the exact sort of precautions that help us make sure that no such breach ever does happen, or that if a breach ever does that the damage is minimal. That sort of breach is the type you hear in the news from sites like Ashley Madison, Target and Home Depot. Those sites weren't compromised because a single customer's account was breached. They were compromised at a much higher level, and entire data sets were stolen. In Target and Home Depot's cases, it was primarily personal data like credit card numbers (which we also protect, unlike those two much larger companies). In Ashley Madison's case it was other user data like messages and contacts that they thought was secure. We protect secured galleries to make sure that anyone who got into that data couldn't then expose all protected galleries on SmugMug, and then we also take every modern precaution to make sure that nobody could actually get into that data. This is about modern, best practices for security. Plaintext password storage is a huge vulnerability.
As to the point about being worried that someone will gain access to a Customer's Account through the galleries, that's simply not the point I have been making. Nobody is gaining access to an account through an unsecured gallery password. As mentioned above, this is protecting against every vector instead of just the obvious one through the Customer's Account.
If a customer account is compromised, they gain access to that customer's galleries. If the gallery data is compromised from a different vector, they would gain access to EVERY customer's galleries if we didn't hash the passwords properly.
That's why entire sites exist to shame services that use plaintext password storage:
http://plaintextoffenders.com/
They have examples of exactly what I am talking about, large scale data leaks, on their About page:
http://plaintextoffenders.com/about/
That's the primary question at the core of this security measure. If SmugMug had a compromise of gallery data, which thankfully we have been able to prevent for over 13 years, would you want someone to be able to read every password to every gallery and publish those online for everyone to see? I can't answer for you obviously, but I can answer for the vast majority of our customers that we have talked to. The answer is overwhelmingly that they expect us to secure their password protected galleries to the absolute best security standards. That is why we made this change.
You might disagree with those security measures, but these are absolutely the recommendations of *every single top security expert*.
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
http://php.net/manual/en/faq.passwords.php
http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374
I can go on, but you get the point. I don't know of a single security expert or publication who recommends against hashing + salting passwords. If you expect to secure data, you have to stay on top of modern standards.
Unfortunately, in this case, this solution is simply non-negotiable. I wish we could accommodate your specific use case, but I we cannot overrule our top security experts to implement what is widely considered as bad practices. I hope you understand.
SmugMug Support Hero
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
This is one of the main "gotchas" with switching over. I switched the day after the new smug was offered and I also didn't realize that I would lose my passwords, all 238 of them.
Being how this was "all about me" I was quite unhappy at having to go through the process of changing them and notifying clients about the change.
As leftquark has explained, it isn't about us individually, it's about protecting the entire system which makes sense once it is explained. However smugmug didn't do the best job of providing that information before we were gotten by the change.
Today I have a system for backing up passwords, but I understand the pain of learning the hard way.
Website
Thank you for being so understanding Steve. I completely agree that we could have done a better job, and it's certainly one of the reasons why I made sure we included it in our New SmugMug Help Center (which went live recently ... I realize it would have been nice had this existed back when you first launched) and also built new tools to recover passwords.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Once I got over the "It's all about me", I thought about all the times that I messed up and Smugmug saved me (and still does), so I figured that I owed them at least one little mess up.
Website