Larian Studios Forums General About this website Account activation mail

Hi Larian Studios!

This really wasn't the first thing i thought i was going to write about on your forum, but this is so serious that i can not ignore it.

I just created my account, and to my surprise i got my password sent to me in plain text. This is a really serious security risk. Passwords should NEVER be sent in any emails what so ever. Email can very easily be read by people who shouldn't have access to our passwords. And also, most emails are sent unencrypted. It's super easy to sniff the complete content of any email. That's why you should never send any sensitive information in an email. This is common knowledge.

In my case, i also had a friend over when i registered my account. He saw me open my email and we looked at each other and both said "seriously, they sent the password in plain text..." In this case, it's not "that" big of a problem that he saw it. I trust him and i'm sure he won't do anything. But still, i don't want him to know my password. And also, this particular password is now compromised. So what i will have to do now, is to change my password on the other forums that i use this password on. Fortunately, i use different passwords depending on what it's for, so it's not that many places where i have to change my password and not everything is compromised. But if you ask me (and most other people), i would say that NON of my passwords should've been compromised just because i registered an account on Larian Studios forums.

The fact that this problem exists is really bad, but it isn't the worst part. Even though this is a problem so obvious that i personally think there's no way Larian Studios could've missed it, it might still be possible.

You see, i'm kind of giving you the benefit of the doubt. But...

This was only a possibility up until the point where the user "Blauwmuts" pointed it out in a forum post two YEARS ago. A post that you guys have read and responded to. Any serious company would've said, "Damn, we really need to patch this asap!". But you didn't care that much. Did you? A serious security problem, and you just say "The forum software will be upgraded in the not too distant future" and "password security will be addressed then.".

Do I need to mention that I am very disappointed?

First of all, this was as i said earlier, noticed two years ago. And the problem still exist. But more importantly, you say that password security will be addressed later when it's time to upgrade the forum software?! So security clearly isn't a big deal for you guys. But for me and most people, security is something important.

All of this makes me wonder how the rest of your security is. Is our passwords at least encrypted in your databases or is it stored in plain text in there too? Is your "Larian Vault" where i'm supposed to get my serial key for my game later on any more secure?

Larian Studios. I'm really sorry about this kind of "angry" and "upset" first post from me, but this problem and the fact that you have ignored it for at least two years actually made me both angry and upset. I expected more from you. And i still do expect more from you.
Your company is getting big and you seriously can not ignore this kind of problems. I hope that you will actually take this serious this time and that you will address this issue asap. This should've been addressed two hours after "Blauwmuts" reported it the first time. Not two years later...

The forum software is earmarked for being upgraded, though with Larian being a small company with limited resources, that will probably still take time. One of the forum admins would be better placed to confirm what stage that's at, though (I'm just a random volunteer).

What I will say is that it's really a Very Bad Idea to use the same password on any two sites given the number of compromises there are these days: I would strongly recommend using a secure password manager which generates a unique and difficult to guess password for each login that you have. I've known examples of people who've shared passwords between e.g. games community sites and their online banking and the results weren't good.

Hi there Vometia!

I get what you're saying. But here's the thing. It's not that i'm not careful with my passwords. I use different passwords for all important stuff. But for some stuff, i reuse my password just because it's convenient/easy. I absolutely understand that this isn't the best way to do it. But, the thing is, that i still expect that any serious company, which i assume Larian Studios is, will do their best to protect my personal information such as passwords, real name, addresses and so on. And when someone notice that some personal information is compromised, the company should immediately make sure to fix this security issue.

I mean, it's not the fact that i have to change my password on a few websites that makes me angry. That's on me, and you're right that i shouldn't have reused the same password. If my password had been leaked because some accident or because they was hacked, this would've been a different matter. They would of course have to make sure that their systems was even more secure after something like that, but if something else than my Larian Studios accounts was compromised it wouldn't be Larian Studios fault. But this is not the case here. My password wasn't compromised because of something that Larian Studios couldn't prevent. My password was compromised because Larian Studios just didn't give a crap about making sure that their users personal information had even a little bit of protection. It's not the fact that my password was compromised that makes me the most upset. They have known about this issue for two years now! It's the fact that they don't care that makes me really upset.

For the record, I do agree with you, and I'm surprised at the number of websites that send out plaintext passwords on confirmation of registration (hopefully prior to doing a one-way encryption on it). And as a mod, I'd love the forum software to be upgraded from that point of view, too: but also speaking as a forum admin elsewhere, I understand it's quite a serious pain in the bum to actually execute well, and needs a significant investment of resources.

So I'm not trying to brush it under the carpet, and I do agree somewhat with your feelings (especially as an ex-information security employee elsewhere) but I think for the time being we need to be pragmatic and accept the current limitations. I wouldn't go as far as to say that Larian doesn't give a crap, they're generally pretty good with end-user support, but I don't want that to sound like your concerns are just being dismissed with a hasty "yes but..." either. Although the forum admins will probably see this post, I'll raise the matter with them anyway to make sure it comes to someone's attention.

The password reset works ok though, sends a random password, the initial sign-up process should not ask for a password but send a random one in the activation email.