Larian Studios Forums General Suggestions Don't Send Passwords In Plain Text

Just made an account and got an email with my username and password in plain text. Why in the world would you send a password in plain text??? Beats me, but that's a MAJOR security flaw. Nobody should ever, for any reason, EVER send a password ANYWHERE in plain text. Makes me wonder if Larian stores passwords in plain text? I dunno, I'm kinda doubting security in Larian's products now.

Huge fan of Larian, but this is a really big problem that should be fixed ASAP.

Keep up the good work guys, you're seriously the best game studio out there.

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content).
After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

Thanks for the quick response! I understand the difficulties of migrating everything, and hope you can migrate everything smoothly!

I am glad this bug will be fixed, but it is still there today.

When upgrading the forum software, I hope Larian will consider migrating to a different forum platform which offers more advanced features. Notably, a gaming company ought to appreciate the value of "gamification". A couple of worthy contenders as replacements include:

Discourse
https://www.discourse.org/

Vanilla Forums
https://vanillaforums.com/en/software/

Both of these are available under a Free Licence.

Hi, I just joined and had the same thing happened. I was emailed my password in plain, text. I just made sure to delete the email, so someone couldn't get a hold of my account.



Though if someone was to hack or break into my email, I'm not sure why they would try to get into my Larian forums account lol

With most people, there's one password for everything. A password to a forum account could open many, many doors.
Besides, people don't necessarily need to break in your email, they can break in any server between the one @Larian and your mail server!

I do agree with that. It's quite scary how someone could potentially lose everything, through just one password being leaked/hacked/broken into. I still think it's not the best idea to send passwords in visible text through emails tho

I just joined to post some feedback on BG3 and I was horrified to see that Larian are sending passwords in plaintext. What is this, 1993? Here we are four months after OP raised this concern and it's not been fixed. As an infosec professional, this makes me very uneasy. Especially as the site doesn't use HTTPS. That means that all communications with the website are sent in plaintext too. Come on Larian. You really need to fix this as a matter of urgency if you don't want to look like a Mickey Mouse operation.

2003, actually. Well, there have been several updates to the forum software in the meantime. There is currently an update planned to add https support, as an interim measure until the forum can be replaced.

Thanks for the reply. Looking forward to the update and eventual migration.

The forum has been updated to https, and passwords are no longer being sent by email.

Can confirm, I just joined and only my username was emailed to me. I double checked the email after coming across this thread.