Larian Banner
Previous Thread
Next Thread
Print Thread
Big security issue #587051
19/09/16 12:33 AM
19/09/16 12:33 AM
Joined: Sep 2016
Posts: 46
N
NinjaWithSpoons Offline OP
apprentice
NinjaWithSpoons  Offline OP
apprentice
N

Joined: Sep 2016
Posts: 46
When I registered on the forums, my confirmation email contained my password in plain text. Do NOT do this. This also means that you guys are storing passwords in plain text in the database. Do NOT do that either!

Hash them for storage. When someone logs in, hash what they input as the password and compare it to the hash in the database. That is how it should be done. Then you will never have an issue of sending plain text password because it will be impossible.

Our passwords are at risk for no good reason. Not only on this site, but many of us use the same password for various accounts on various websites. Please fix this.

Re: Big security issue [Re: NinjaWithSpoons] #587076
19/09/16 01:59 AM
19/09/16 01:59 AM
Joined: May 2010
Posts: 3,552
The Frog & Hounds
vometia Offline

Duchess of Gorgombert
vometia  Offline

Duchess of Gorgombert

Joined: May 2010
Posts: 3,552
The Frog & Hounds
The forum software is pretty old and unfortunately isn't likely to be updated any time soon: I would like it to be for other reasons too, but Larian has rather limited resources. I would strongly recommend using different login credentials on each site you use: most password managers can generate strong, unique passwords.

At the very least, I would never consider reusing a password on sites which do not encrypt their traffic (i.e. http instead of https).


J'aime le fromage.
Re: Big security issue [Re: NinjaWithSpoons] #587080
19/09/16 02:04 AM
19/09/16 02:04 AM
Joined: Sep 2016
Posts: 7
R
retrop Offline
stranger
retrop  Offline
stranger
R

Joined: Sep 2016
Posts: 7
I agree. I signed up with a password manager (and an auto generated random password) but I was still very sad to see my password showing up like that in a confirmation email. Every piece of one's online identity matters and should at least be protected by this basic and (what I apparently naively assumed) standard practice.

Re: Big security issue [Re: vometia] #587097
19/09/16 02:40 AM
19/09/16 02:40 AM
Joined: Sep 2016
Posts: 46
N
NinjaWithSpoons Offline OP
apprentice
NinjaWithSpoons  Offline OP
apprentice
N

Joined: Sep 2016
Posts: 46
Ya, of course. Immediately changed my password.

However, I would urge that the protection of customer credentials should be paramount. This type of security is the baseline for any legitimate business. It is a problem that has been solved already and it is easy to implement.

You gotta take care of your customers. What happens when there is a SQL injection breach (which this site is unlikely to be protected against) and whoops now someone has the legit password for anyone with an account here, maybe 20% of which use a password manager or something like that and don't reuse passwords. Now those 80% have their password (and associated username) in a table somewhere ready to brute force a bank account or whatever. Sure there is no sure fire security that will protect against everything and still have good performance, but to be honest, this is so baseline it is rather unacceptable these days to not do it. They are overlooking customer safety for short term profits and goals. So sad.

One guy puts a days worth of time on it, now ass is covered.

Last edited by NinjaWithSpoons; 19/09/16 02:55 AM.
Re: Big security issue [Re: NinjaWithSpoons] #587111
19/09/16 03:24 AM
19/09/16 03:24 AM
Joined: Sep 2016
Posts: 5
S
smuckleberry Offline
stranger
smuckleberry  Offline
stranger
S

Joined: Sep 2016
Posts: 5
One nitpick, they aren't necessarily storing the password as plain text on the back end too. But yeah the page should definitely be https.


Doesn't take much resources to have an https forum, should be mandatory.

It's a must to use a separate password, username, and e-mail for http registration and login.

Re: Big security issue [Re: smuckleberry] #587114
19/09/16 03:37 AM
19/09/16 03:37 AM
Joined: Oct 2015
Posts: 379
Ayvah Offline

enthusiast
Ayvah  Offline

enthusiast

Joined: Oct 2015
Posts: 379
Originally Posted By: smuckleberry
One nitpick, they aren't necessarily storing the password as plain text on the back end too.

Encrypting passwords is little better.

Passwords should be hashed (and salted) using a robust one-way algorithm.

Re: Big security issue [Re: Ayvah] #587142
19/09/16 06:08 AM
19/09/16 06:08 AM
Joined: May 2010
Posts: 3,552
The Frog & Hounds
vometia Offline

Duchess of Gorgombert
vometia  Offline

Duchess of Gorgombert

Joined: May 2010
Posts: 3,552
The Frog & Hounds
Originally Posted By: Ayvah
Encrypting passwords is little better.

Passwords should be hashed (and salted) using a robust one-way algorithm.

I think that's what's generally understood by password encryption: I imagine it's been a long while since any password system used a reversible method. Although I'm not particularly familiar with this forum's back-end, I would imagine that the confirmation emails that are generated are done so at the that time using the password as entered on the registration form by the user before it goes through its one-way hashing and the original discarded forever. The plaintext password isn't necessarily being stored anywhere, although sending it through unencrypted email is obviously less than ideal.

I'd never place my trust 100% in one-way encryption, though: not enough to consider password reuse to be safe and viable. I remember when Unix's DES scheme was considered so unbreakable it wasn't even considered necessary to keep the passwords out of public view... which obviously went well.


J'aime le fromage.
Re: Big security issue [Re: vometia] #587147
19/09/16 06:27 AM
19/09/16 06:27 AM
Joined: Sep 2016
Posts: 46
N
NinjaWithSpoons Offline OP
apprentice
NinjaWithSpoons  Offline OP
apprentice
N

Joined: Sep 2016
Posts: 46
Maybe colloquially encryption could refer to hashing to a layman, but they are certainly two distinct things. it may been a long while since any password system has used a reversible method, but its also been a long while since sending plain text passwords over email has been a thing. So who knows.

While this is just speculation, I would be almost certain that they are not sending the email without having already stored the information, as that would just be conceptually poor design. You don't want to send off an email saying an account was created when in fact it subsequently had an error saving to the database so does not exist at all. Leaving the user to WTF. But I guess its that poor design vs the poor design of plain text passwords, we don't know what they did.

Either way, of course nothing is unbreakable, but web security isn't about 100% preventing any possible breaches. It's about taking reasonable steps based on the application to keep your ass covered.

Re: Big security issue [Re: NinjaWithSpoons] #587186
19/09/16 09:04 AM
19/09/16 09:04 AM
Joined: Dec 2003
Posts: 843
Krynn
ForkTong Offline

old hand
ForkTong  Offline

old hand

Joined: Dec 2003
Posts: 843
Krynn
I just wrote this in another topic.

The password is sent to your email before it is stored in the database.

I can assure you that the password in the database is properly hashed and salted. I couldn't tell you your password if you asked for it, and anyone that could get into our database would just have rubbish for passwords.

For instance, if you reset your password, you will be sent a temporary password that you need to change immediately. Because: the forum does not know your password. And neither do we.

How I know: I investigated this and had a look at the database. I will now check the code if I can find where they build the registration mail and leave out the plain text password.


Tweeting @forktong
Re: Big security issue [Re: NinjaWithSpoons] #587190
19/09/16 09:09 AM
19/09/16 09:09 AM
Joined: Feb 2015
Posts: 239
Linio Offline

enthusiast
Linio  Offline

enthusiast

Joined: Feb 2015
Posts: 239
Depending on when you actually received the email, this does not prove the passwords are stored in plain text.
I'm pretty sure it's not the case here.

This could have gone like this :
Register, your password is saved in the session, sent by email, encrypted into the database.
If you were to ask for your password and it was sent by email, then there's a problem, otherwise...

Of course sending an email with a plain password is not a very good practice but well...

Re: Big security issue [Re: NinjaWithSpoons] #587224
19/09/16 11:42 AM
19/09/16 11:42 AM
Joined: Dec 2003
Posts: 843
Krynn
ForkTong Offline

old hand
ForkTong  Offline

old hand

Joined: Dec 2003
Posts: 843
Krynn
Update: I looked for the plain text password in code and removed sending it.


Tweeting @forktong
Re: Big security issue [Re: ForkTong] #587267
19/09/16 02:32 PM
19/09/16 02:32 PM
Joined: Sep 2016
Posts: 46
N
NinjaWithSpoons Offline OP
apprentice
NinjaWithSpoons  Offline OP
apprentice
N

Joined: Sep 2016
Posts: 46
ForkTong - Thank you so much for looking into this and fixing the issue. And sorry to suggest that plain text passwords were being stored when they in fact weren't.

I appreciate very much how quick this was resolved

Re: Big security issue [Re: NinjaWithSpoons] #587330
19/09/16 05:11 PM
19/09/16 05:11 PM
Joined: Dec 2003
Posts: 843
Krynn
ForkTong Offline

old hand
ForkTong  Offline

old hand

Joined: Dec 2003
Posts: 843
Krynn
Don't mention it, Spoonman!


Tweeting @forktong

Powered by UBB.threads™ PHP Forum Software 7.6.2