Larian Banner: Baldur's Gate Patch 9
Previous Thread
Next Thread
Print Thread
#587051 19/09/16 12:33 AM
Joined: Sep 2016
N
apprentice
OP Offline
apprentice
N
Joined: Sep 2016
When I registered on the forums, my confirmation email contained my password in plain text. Do NOT do this. This also means that you guys are storing passwords in plain text in the database. Do NOT do that either!

Hash them for storage. When someone logs in, hash what they input as the password and compare it to the hash in the database. That is how it should be done. Then you will never have an issue of sending plain text password because it will be impossible.

Our passwords are at risk for no good reason. Not only on this site, but many of us use the same password for various accounts on various websites. Please fix this.

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
The forum software is pretty old and unfortunately isn't likely to be updated any time soon: I would like it to be for other reasons too, but Larian has rather limited resources. I would strongly recommend using different login credentials on each site you use: most password managers can generate strong, unique passwords.

At the very least, I would never consider reusing a password on sites which do not encrypt their traffic (i.e. http instead of https).


J'aime le fromage.
Joined: Sep 2016
R
stranger
Offline
stranger
R
Joined: Sep 2016
I agree. I signed up with a password manager (and an auto generated random password) but I was still very sad to see my password showing up like that in a confirmation email. Every piece of one's online identity matters and should at least be protected by this basic and (what I apparently naively assumed) standard practice.

Joined: Sep 2016
N
apprentice
OP Offline
apprentice
N
Joined: Sep 2016
Ya, of course. Immediately changed my password.

However, I would urge that the protection of customer credentials should be paramount. This type of security is the baseline for any legitimate business. It is a problem that has been solved already and it is easy to implement.

You gotta take care of your customers. What happens when there is a SQL injection breach (which this site is unlikely to be protected against) and whoops now someone has the legit password for anyone with an account here, maybe 20% of which use a password manager or something like that and don't reuse passwords. Now those 80% have their password (and associated username) in a table somewhere ready to brute force a bank account or whatever. Sure there is no sure fire security that will protect against everything and still have good performance, but to be honest, this is so baseline it is rather unacceptable these days to not do it. They are overlooking customer safety for short term profits and goals. So sad.

One guy puts a days worth of time on it, now ass is covered.

Last edited by NinjaWithSpoons; 19/09/16 02:55 AM.
Joined: Sep 2016
S
stranger
Offline
stranger
S
Joined: Sep 2016
One nitpick, they aren't necessarily storing the password as plain text on the back end too. But yeah the page should definitely be https.


Doesn't take much resources to have an https forum, should be mandatory.

It's a must to use a separate password, username, and e-mail for http registration and login.

Joined: Oct 2015
addict
Offline
addict
Joined: Oct 2015
Originally Posted by smuckleberry
One nitpick, they aren't necessarily storing the password as plain text on the back end too.

Encrypting passwords is little better.

Passwords should be hashed (and salted) using a robust one-way algorithm.

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
Originally Posted by Ayvah
Encrypting passwords is little better.

Passwords should be hashed (and salted) using a robust one-way algorithm.

I think that's what's generally understood by password encryption: I imagine it's been a long while since any password system used a reversible method. Although I'm not particularly familiar with this forum's back-end, I would imagine that the confirmation emails that are generated are done so at the that time using the password as entered on the registration form by the user before it goes through its one-way hashing and the original discarded forever. The plaintext password isn't necessarily being stored anywhere, although sending it through unencrypted email is obviously less than ideal.

I'd never place my trust 100% in one-way encryption, though: not enough to consider password reuse to be safe and viable. I remember when Unix's DES scheme was considered so unbreakable it wasn't even considered necessary to keep the passwords out of public view... which obviously went well.


J'aime le fromage.
Joined: Sep 2016
N
apprentice
OP Offline
apprentice
N
Joined: Sep 2016
Maybe colloquially encryption could refer to hashing to a layman, but they are certainly two distinct things. it may been a long while since any password system has used a reversible method, but its also been a long while since sending plain text passwords over email has been a thing. So who knows.

While this is just speculation, I would be almost certain that they are not sending the email without having already stored the information, as that would just be conceptually poor design. You don't want to send off an email saying an account was created when in fact it subsequently had an error saving to the database so does not exist at all. Leaving the user to WTF. But I guess its that poor design vs the poor design of plain text passwords, we don't know what they did.

Either way, of course nothing is unbreakable, but web security isn't about 100% preventing any possible breaches. It's about taking reasonable steps based on the application to keep your ass covered.

Joined: Dec 2003
Location: Krynn
old hand
Offline
old hand
Joined: Dec 2003
Location: Krynn
I just wrote this in another topic.

The password is sent to your email before it is stored in the database.

I can assure you that the password in the database is properly hashed and salted. I couldn't tell you your password if you asked for it, and anyone that could get into our database would just have rubbish for passwords.

For instance, if you reset your password, you will be sent a temporary password that you need to change immediately. Because: the forum does not know your password. And neither do we.

How I know: I investigated this and had a look at the database. I will now check the code if I can find where they build the registration mail and leave out the plain text password.


Tweeting @forktong
Joined: Feb 2015
enthusiast
Offline
enthusiast
Joined: Feb 2015
Depending on when you actually received the email, this does not prove the passwords are stored in plain text.
I'm pretty sure it's not the case here.

This could have gone like this :
Register, your password is saved in the session, sent by email, encrypted into the database.
If you were to ask for your password and it was sent by email, then there's a problem, otherwise...

Of course sending an email with a plain password is not a very good practice but well...

Joined: Dec 2003
Location: Krynn
old hand
Offline
old hand
Joined: Dec 2003
Location: Krynn
Update: I looked for the plain text password in code and removed sending it.


Tweeting @forktong
Joined: Sep 2016
N
apprentice
OP Offline
apprentice
N
Joined: Sep 2016
ForkTong - Thank you so much for looking into this and fixing the issue. And sorry to suggest that plain text passwords were being stored when they in fact weren't.

I appreciate very much how quick this was resolved

Joined: Dec 2003
Location: Krynn
old hand
Offline
old hand
Joined: Dec 2003
Location: Krynn
Don't mention it, Spoonman!


Tweeting @forktong

Moderated by  gbnf, Kurnster, Monodon, Stephen_Larian 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.5