So I'm working in WebDev and after making an account on here, I was pretty shocked to discover that the confirmation email had a section that said:
For your records, your login information is as follows:
Email: [My Email]
Password [My Password]
This is like, a serious SERIOUS security threat for every user on here, especially the ones that reuse their passwords a lot (Please use a password manager, people)
As soon as anyone manages to find their way into the user database, by hacking attack or a disgruntled employee with malicious intentions, they can expose every single password and email combination in a giant data leak.
This will probably cause millions in legal damages for Larian Studios.
I've seen threads from THREE YEARS ago that have pointed out that exact problem. The fact that this still isn't fixed is honestly very scary.
The solution to changing this would be to encrypt the passwords in the register function, then when the user logs in, comparing the thing they entered to the encrypted password in the database using the encryption functions provided by PhP (and any other language).
This isn't a big fix, this is just having someone change 2-5 lines of code and creating a script that converts the existing passwords.
I really hope this issue will be addressed before serious damage is going to happen.
