But that still means they had your plaintext password at some point.
Comment on Larion Studios forum stores your passwords in unhashed plaintext.
vox@sopuli.xyz 1 year ago
no, they dont.
they just send it to your email upon registration.
tb_@lemmy.world 1 year ago
vox@sopuli.xyz 1 year ago
hashing on client side is considered a bad idea and almost never done.
sleepy555@lemmy.world 1 year ago
Really everytime you log in too.
wim@lemmy.sdf.org 1 year ago
It’s not a bad idea and it is often done, just not in a browser/webapp context.
hotdoge42@feddit.de 1 year ago
Can you give an example where this is done?
Kilamaos@lemmy.world 1 year ago
Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.
That’s fine and normal
kadu@lemmy.world 1 year ago
[deleted]Vegasimov@reddthat.com 1 year ago
When you create an account you type your password in. This gets sent to the server, and then it is hashed and stored
So there is a period of time where they have your unhashed password
This is true of every website you have ever made a password on
Hexarei@programming.dev 1 year ago
Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.
dangblingus@lemmy.world 1 year ago
I’ve literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.
What would be the necessity behind emailing someone their own password? Doesn’t that defeat the purpose of having a password? Email isn’t secure.
wim@lemmy.sdf.org 1 year ago
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
EssentialCoffee@midwest.social 1 year ago
They’re probably just young.
benjacoblee@lemmy.world 1 year ago
Idk if I’m misremembering, but it’s my impression that they did this a lot in the 2000s, haha. I guess bad practices have a habit of sticking around
EssentialCoffee@midwest.social 1 year ago
I’ve had service providers physically mail my own password to me before. Just crazy.
Always use unique passwords for every site.
TheEighthDoctor@lemmy.world 1 year ago
So it’s in plaintext in their email system
Thadrax@lemmy.world 1 year ago
Generated emails usually don’t get saved, as soon as it is delivered it will be gone.
vox@sopuli.xyz 1 year ago
these emails don’t usually get copied to local outbox folder (as any oher auto generated emails)
JackbyDev@programming.dev 1 year ago
“Kinda a bad idea?” This is fucking insane.
Umbraveil@lemmy.world 1 year ago
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
Mirodir@discuss.tchncs.de 1 year ago
…and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.
Thadrax@lemmy.world 1 year ago
Automatically generated emails usually don’t get saved.
glitches_brew@lemmy.world 1 year ago
As the designated email dev at my company I can confidently say this is not true.
Not saying that this specific email is persisted, but almost all that I work with are. It’s a very common practice.
Rambomst@lemmy.world 1 year ago
Yeah, we save most emails sent out at my work.
tocopherol@lemmy.dbzer0.com 1 year ago
I wonder how much this varies depending on the amount of data it would require to store the emails of a company. I know nothing about this subject, but does it occur where companies with very large email lists would forgo storing those types of emails to save data costs?