Larian Studios Forums General About this website Security Issue

Sorry I posted this in an inappropriate thread under Divinity Original Sins 2. I think it belongs here:


When I registered on the forums, my confirmation email contained my password in plain text. Do NOT do this. This also means that you guys are storing passwords in plain text in the database. Do NOT do that either!

Hash them for storage. When someone logs in, hash what they input as the password and compare it to the hash in the database. That is how it should be done. Then you will never have an issue of sending plain text password because it will be impossible.

Our passwords are at risk for no good reason. Not only on this site, but many of us use the same password for various accounts on various websites. Please fix this.

Hello,

The password is sent to your email before it is stored in the database.

I can assure you that the password in the database is properly hashed and salted. I couldn't tell you your password if you asked for it, and anyone that could get into our database would just have rubbish for passwords.

For instance, if you reset your password, you will be sent a temporary password that you need to change immediately. Because: the forum does not know your password. And neither do we.

As a fan of the studio, and a gamer looking forward to BG3, I made an account here. Quite frankly I am pretty shocked by the sloppy security protocols implemented here.

I want to raise the following issues, ofcourse in the hopes that these will be fixed (and imo they should be!).

1) No https for the forums, seriously? I am on holiday in a less-than-privacy-friendly country, and my first thought was the govt was mass-MITMing public traffic. Imo this is below ANY standard.
2) Plaintext passwords in email? Are you kidding me? I don't think I need to explain this one.
3) Only 20 characters for the passwords? Should be expanded a LOT imo.

These things combined makes me think that the website might not have been kept up to date as well as should be.
And to think I only tried to register here to let my voice be known for a Linux version of BG3!
Pretty negative first post, I understand that but... I feel these issues had to be raised, and level up the website along with your game design!

I appreciate all the hard work you guys have put into your game(s) and would say, keep it up!

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content, since 2003).
After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

I am happy to hear that you are aware and agree things could be better! And ofcourse also that there is plans for improvement Admittedly 20 characters passwords is kinda 2000s

That said, no SSL is imo really an issue, hopefully you'll take that along in the upgrade at least, even tho I really see no reason at all not to have a cert for anything these days

Hello
Just created an account to point out https ;) And find my answer. You better hurry because with BG3 this forum will be much more crowded and that may also mean, active targeting by evil-doers.

Implementing HTTPS is done on the web server layer, not on the forum software layer. It's a no-brainer and takes an hour to implement, at max. It's ashaming for Larian that they still use unsecure http in 2020.

We are aware of the issue and I have escalated it. Unfortunately I am not able to implement it myself.

Being aware of something, and actually fixing something are two very different things. I hope your escalation bears fruit. Thanks for doing so.

The German-language chat forums seem to be gone ???

They have moved! Much closer to the top now, in the hope that more people see they exist.

Why the hell does this exist:

***You can only make a post every 1800 seconds. Please try again once this time has expired.

I am trying to help out people and I cant write multiple posts, why??? need to wait 30 minutes between posts. Deal breaker for me. what the hell!!!!
This should be removed asap.

It's a restriction on new registrations due to spam problems in the past. The restriction is normally lifted quite soon, as it has been in your case.

It may be the worst forum you've ever heard of, but at least you've heard of it.

I just wanted to create a post regarding the same issue. While i trust you that passwords are stored securely, emails are still similar to postcards and sending the password that i just chose to create this account in plain text is a very bad and outdated practice. Any mail server involved gets a copy of the login credentials. Please consider disabling this if the forum's software allows that. Thanks!

At present it doesn't, and I agree, SMTP is not renowned for its security rating. https is fairly imminently due to happen and once that's out the way I'll see what can be done about removing plaintext passwords from the confirmation emails. You are correct in that they are at least stored using a one-way encryption algorithm.

Thank you for the heads-up!

I just started playing Baldur Gate 3/looking for official forums. LOL

It is also my first impression that this forum is out of date. When my browser warned me about the unsecure connection, I double checked that this was in fact the official site. Very curios why this forum still remains in this shape, when the front page is so well made with all the sleek advertising and technical prowess that you only see in big projects. The game certainly would deserve a forum overhaul, and I believe it would also be very helpful if the forums are structured more specifically, keep in mind that this is my first impression, it seems that the discussion areas are big "catch all" bins, and if the developers are serious about taking our feedback, then this makes it more difficult for them to find specific feedback or ideas.

The forums are due for a major upgrade at some point in the future but I don't have a timescale available at present. https is a known issue and discussed a few posts back; to reiterate, it is being worked on and undergoing testing; it will be rolled out soon. The forum structure is currently under review and that and the look-and-feel will be determined by publishing, but their priorities have been elsewhere recently. I may work on a refreshed skin/theme myself, but as a volunteer sysadmin my artistic skills are less good.

Feedback will be assessed and reviewed, as will technical issues, though it is certainly rather busy at present.

Hello

It is incredible, that a company like yours does not take care about the MOST elementary security protection...
Please protect urgently our logins by using HTTPS on your forum!!

Thanks a lot,
best regards,
Kalthen

Came here to post this. Do not send plain text passwords via email. There is simply no reason to do this.

As mentioned, an https-enabled forum is currently being tested and will be rolled out soon. Passwords are emailed out at the time of account creation which is bad practice but they are at least not stored in cleartext but one-way encrypted. The software does not provide a way to disable it; if it is not fixed in a newer release (or if we are not going to upgrade imminently) I will see what I can do about rewriting the registration script myself.

The forum has been updated to https, and passwords are no longer being sent by email.

Thanks for the quick fix! Much appreciated!

Necro-ing this post to say passwords are still being sent in plaintext. I joined today and my first encounter with the forum was to have my username and password sent to me via email in plaintext. I'm glad to see this has been addressed previously, but it needs to be revisited.

I just joined today, can confirm that passwords used to register are being sent on account creation.
I was a little shocked and deleted the email straight away, not that I felt like I would be hacked but just incase someone compromised my email they couldn't search for passwords in emails.

Registered 2 days ago, passwords are still sent in cleartext

Registered today, passwords still sent in plaintext