Larian Banner
Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
#587057 19/09/16 12:39 AM
Joined: Sep 2016
N
apprentice
OP Offline
apprentice
N
Joined: Sep 2016
Sorry I posted this in an inappropriate thread under Divinity Original Sins 2. I think it belongs here:


When I registered on the forums, my confirmation email contained my password in plain text. Do NOT do this. This also means that you guys are storing passwords in plain text in the database. Do NOT do that either!

Hash them for storage. When someone logs in, hash what they input as the password and compare it to the hash in the database. That is how it should be done. Then you will never have an issue of sending plain text password because it will be impossible.

Our passwords are at risk for no good reason. Not only on this site, but many of us use the same password for various accounts on various websites. Please fix this.

Joined: Dec 2003
Location: Krynn
old hand
Offline
old hand
Joined: Dec 2003
Location: Krynn
Hello,

The password is sent to your email before it is stored in the database.

I can assure you that the password in the database is properly hashed and salted. I couldn't tell you your password if you asked for it, and anyone that could get into our database would just have rubbish for passwords.

For instance, if you reset your password, you will be sent a temporary password that you need to change immediately. Because: the forum does not know your password. And neither do we.


Tweeting @forktong
#671208 29/07/20 10:05 AM
Joined: Jul 2020
stranger
Offline
stranger
Joined: Jul 2020
As a fan of the studio, and a gamer looking forward to BG3, I made an account here. Quite frankly I am pretty shocked by the sloppy security protocols implemented here.

I want to raise the following issues, ofcourse in the hopes that these will be fixed (and imo they should be!).

1) No https for the forums, seriously? I am on holiday in a less-than-privacy-friendly country, and my first thought was the govt was mass-MITMing public traffic. Imo this is below ANY standard.
2) Plaintext passwords in email? Are you kidding me? I don't think I need to explain this one.
3) Only 20 characters for the passwords? Should be expanded a LOT imo.

These things combined makes me think that the website might not have been kept up to date as well as should be.
And to think I only tried to register here to let my voice be known for a Linux version of BG3!
Pretty negative first post, I understand that but... I feel these issues had to be raised, and level up the website along with your game design!

I appreciate all the hard work you guys have put into your game(s) and would say, keep it up!

Joined: Mar 2003
Location: Canada
Larian Studios
Offline
Larian Studios
Joined: Mar 2003
Location: Canada

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content, since 2003).
After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

Joined: Jul 2020
stranger
Offline
stranger
Joined: Jul 2020
I am happy to hear that you are aware and agree things could be better! And ofcourse also that there is plans for improvement smile Admittedly 20 characters passwords is kinda 2000s laugh

That said, no SSL is imo really an issue, hopefully you'll take that along in the upgrade at least, even tho I really see no reason at all not to have a cert for anything these days smile

Last edited by Herbzmoka; 31/07/20 02:09 PM.
Joined: Aug 2020
Location: Turkey
stranger
Offline
stranger
Joined: Aug 2020
Location: Turkey
Hello
Just created an account to point out https ;) And find my answer. You better hurry because with BG3 this forum will be much more crowded and that may also mean, active targeting by evil-doers.

Last edited by Lanetolsun; 26/08/20 07:45 PM. Reason: typo

He who fights with monsters might take care lest he thereby become a monster. And when you gaze long into an abyss the abyss also gazes into you.

Core i7-6900K, 64GB Ram, Rtx 2080, Soundblaster ZXR, lg-34GK950F-B,Logitech Z906 Thx.
Raze #673417 28/08/20 12:35 PM
Joined: Oct 2017
D
journeyman
Offline
journeyman
D
Joined: Oct 2017
Originally Posted by Raze

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content, since 2003).
After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.


Implementing HTTPS is done on the web server layer, not on the forum software layer. It's a no-brainer and takes an hour to implement, at max. It's ashaming for Larian that they still use unsecure http in 2020.

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Online Sleepy
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
We are aware of the issue and I have escalated it. Unfortunately I am not able to implement it myself.


J'aime le fromage.
Joined: Oct 2017
D
journeyman
Offline
journeyman
D
Joined: Oct 2017
Originally Posted by vometia
We are aware of the issue and I have escalated it. Unfortunately I am not able to implement it myself.


Being aware of something, and actually fixing something are two very different things. I hope your escalation bears fruit. Thanks for doing so.

Joined: Mar 2003
A
veteran
Offline
veteran
A
Joined: Mar 2003
The German-language chat forums seem to be gone ???



When you find a big kettle of crazy, it's best not to stir it.
--Dilbert cartoon

"Interplay.some zombiefied unlife thing going on there" - skavenhorde at RPGWatch
Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Online Sleepy
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
Originally Posted by AlrikFassbauer
The German-language chat forums seem to be gone ???

They have moved! Much closer to the top now, in the hope that more people see they exist.


J'aime le fromage.
Joined: Mar 2020
stranger
Offline
stranger
Joined: Mar 2020
Why the hell does this exist:

***You can only make a post every 1800 seconds. Please try again once this time has expired.

I am trying to help out people and I cant write multiple posts, why??? need to wait 30 minutes between posts. Deal breaker for me. what the hell!!!!
This should be removed asap.

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Online Sleepy
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
It's a restriction on new registrations due to spam problems in the past. The restriction is normally lifted quite soon, as it has been in your case.


J'aime le fromage.
Joined: Oct 2020
Location: Paris
stranger
Offline
stranger
Joined: Oct 2020
Location: Paris
It may be the worst forum you've ever heard of, but at least you've heard of it.

ForkTong #678665 07/10/20 01:35 PM
Joined: Oct 2020
stranger
Offline
stranger
Joined: Oct 2020
I just wanted to create a post regarding the same issue. While i trust you that passwords are stored securely, emails are still similar to postcards and sending the password that i just chose to create this account in plain text is a very bad and outdated practice. Any mail server involved gets a copy of the login credentials. Please consider disabling this if the forum's software allows that. Thanks!

smiley #678727 07/10/20 01:59 PM
Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Online Sleepy
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
Originally Posted by smiley
I just wanted to create a post regarding the same issue. While i trust you that passwords are stored securely, emails are still similar to postcards and sending the password that i just chose to create this account in plain text is a very bad and outdated practice. Any mail server involved gets a copy of the login credentials. Please consider disabling this if the forum's software allows that. Thanks!

At present it doesn't, and I agree, SMTP is not renowned for its security rating. https is fairly imminently due to happen and once that's out the way I'll see what can be done about removing plaintext passwords from the confirmation emails. You are correct in that they are at least stored using a one-way encryption algorithm.


J'aime le fromage.
vometia #678771 07/10/20 02:26 PM
Joined: Oct 2020
stranger
Offline
stranger
Joined: Oct 2020
Thank you for the heads-up!

Joined: Mar 2020
stranger
Offline
stranger
Joined: Mar 2020
I just started playing Baldur Gate 3/looking for official forums. LOL

Joined: Oct 2020
apprentice
Offline
apprentice
Joined: Oct 2020
It is also my first impression that this forum is out of date. When my browser warned me about the unsecure connection, I double checked that this was in fact the official site. Very curios why this forum still remains in this shape, when the front page is so well made with all the sleek advertising and technical prowess that you only see in big projects. The game certainly would deserve a forum overhaul, and I believe it would also be very helpful if the forums are structured more specifically, keep in mind that this is my first impression, it seems that the discussion areas are big "catch all" bins, and if the developers are serious about taking our feedback, then this makes it more difficult for them to find specific feedback or ideas.


Some folks are born made to wave the flag
They're red, white and blue
And when the band plays "Hail to the Chief"
They point the cannon at you, Lord
Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Online Sleepy
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
Originally Posted by Ben Thunder
It is also my first impression that this forum is out of date. When my browser warned me about the unsecure connection, I double checked that this was in fact the official site. Very curios why this forum still remains in this shape, when the front page is so well made with all the sleek advertising and technical prowess that you only see in big projects. The game certainly would deserve a forum overhaul, and I believe it would also be very helpful if the forums are structured more specifically, keep in mind that this is my first impression, it seems that the discussion areas are big "catch all" bins, and if the developers are serious about taking our feedback, then this makes it more difficult for them to find specific feedback or ideas.

The forums are due for a major upgrade at some point in the future but I don't have a timescale available at present. https is a known issue and discussed a few posts back; to reiterate, it is being worked on and undergoing testing; it will be rolled out soon. The forum structure is currently under review and that and the look-and-feel will be determined by publishing, but their priorities have been elsewhere recently. I may work on a refreshed skin/theme myself, but as a volunteer sysadmin my artistic skills are less good.

Feedback will be assessed and reviewed, as will technical issues, though it is certainly rather busy at present.


J'aime le fromage.
Page 1 of 2 1 2

Moderated by  Larian_QA, Lar_q, Lynn, Macbeth, Raze 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.5