Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
Don’t use a password
therethat you’ve used anywhere else
Just get a password manager already
Larion Studios forum stores your passwords in unhashed plaintext.
Submitted 7 months ago by Cabrio@lemmy.world to games@lemmy.world
https://lemmy.world/pictrs/image/6a3f7bd4-8bec-46c8-9330-a51ab51fb609.png
Comments
lowleveldata@programming.dev 7 months ago
TigrisMorte@kbin.social 7 months ago
Spacecraft@lemmy.world 7 months ago
I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.
miroppb@kbin.social 7 months ago
BitWarden is awesome. Been using it since 2 of my colleagues went to work for them
brb@sh.itjust.works 7 months ago
How is this better than Firefox built-in password manager?
Ledivin@lemmy.world 7 months ago
I just wanted to drop a reminder that both LastPass and Norton LifeLock were hacked within the past year alone.
Kbin_space_program@kbin.social 7 months ago
KeePass is a thing that exists and is fantastic.
SaltySalamander@kbin.social 7 months ago
I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.
lowleveldata@programming.dev 7 months ago
Use KeePassXC and you can’t get hacked
neatchee@lemmy.world 7 months ago
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
Vash63@lemmy.world 7 months ago
And at least for LastPass no passwords were compromised. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
dpkonofa@lemmy.world 7 months ago
One vote for 1Password here.
CuddlyCassowary@lemmy.world 7 months ago
I literally trust them with my life. Agreed.
nickwitha_k@lemmy.sdf.org 7 months ago
That’s very unlikely. It’s running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it’s providing you with a default at sign-up, that’s different and is what appears to be a configurable setting.
If it is completely generated for you, here’s what probably happening:
- User creation module runs a password generator and stores this and the username in memory as string variables.
- User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
- Either the storage module or another middleware module hashes the password while preparing to store.
- Storage module reports success to user creation.
- User creation module prints the vars to the welcome template and unloads them from memory.
TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.
Cabrio@lemmy.world 7 months ago
It sends the user generated password, not an auto generated one.
hex@programming.dev 7 months ago
Yeah if they send the password in an email in plain text that’s not storing it. You can send the email before you store the password while it’s still in memory and then hash it and store it.
vox@sopuli.xyz 7 months ago
no, they dont.
they just send it to your email upon registration.Mirodir@discuss.tchncs.de 7 months ago
…and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.
Thadrax@lemmy.world 7 months ago
Automatically generated emails usually don’t get saved.
tb_@lemmy.world 7 months ago
But that still means they had your plaintext password at some point.
vox@sopuli.xyz 7 months ago
hashing on client side is considered a bad idea and almost never done.
Kilamaos@lemmy.world 7 months ago
Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.
That’s fine and normal
Hexarei@programming.dev 7 months ago
Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.
dangblingus@lemmy.world 7 months ago
I’ve literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.
What would be the necessity behind emailing someone their own password? Doesn’t that defeat the purpose of having a password? Email isn’t secure.
wim@lemmy.sdf.org 7 months ago
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
benjacoblee@lemmy.world 7 months ago
Idk if I’m misremembering, but it’s my impression that they did this a lot in the 2000s, haha. I guess bad practices have a habit of sticking around
EssentialCoffee@midwest.social 7 months ago
I’ve had service providers physically mail my own password to me before. Just crazy.
Always use unique passwords for every site.
TheEighthDoctor@lemmy.world 7 months ago
So it’s in plaintext in their email system
Thadrax@lemmy.world 7 months ago
Generated emails usually don’t get saved, as soon as it is delivered it will be gone.
vox@sopuli.xyz 7 months ago
these emails don’t usually get copied to local outbox folder (as any oher auto generated emails)
JackbyDev@programming.dev 7 months ago
“Kinda a bad idea?” This is fucking insane.
Umbraveil@lemmy.world 7 months ago
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
inclementimmigrant@lemmy.world 7 months ago
While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they stole your password in their database as plaintext.
JackbyDev@programming.dev 7 months ago
Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.
Michal@programming.dev 7 months ago
Just because they send out the password does not mean it’s not hashed. They could send the email before hashing.
jeeva@lemmy.world 7 months ago
Would you accept “in a way that can be reversed”?
tonkatwuck@lemmynsfw.com 7 months ago
It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.
Serdan@lemm.ee 7 months ago
Passwords shouldn’t be stored at all though 🤷♂️
Vlixz@lemmy.world 7 months ago
You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!
hperrin@lemmy.world 7 months ago
You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
icedterminal@lemmy.world 7 months ago
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
Darkassassin07@lemmy.ca 7 months ago
My bank has a character limit, but they don’t tell you about it; they just trim the password you’ve set before hashing + saving it, then when you go to login if you don’t trim your password the same way they did, login fails.
I only know this because the mobile app will actually grey out the login button as soon as you enter more than the character limit. The web app just leaves you to be confused.
exal@lemmy.ca 7 months ago
Especially if they have a maximum password length.
Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.
jonne@infosec.pub 7 months ago
Sending your password right after you created it might not be best practice, but it doesn’t mean it’s stored unhashed in the database. It looks like they’re using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.
AlmightySnoo@lemmy.world 7 months ago
it should be pretty straightforward to figure out whether they do or not
Not really since it’s closed-source: www.ubbcentral.com
But they seem to have been in business since 1997, so I highly doubt that they’d fuck up the “never store passwords in plain text” rule.
slazer2au@lemmy.world 7 months ago
Set your password to an EICAR test string and see what else you can brick on their site.
CurlyMoustache@lemmy.world 7 months ago
sysadmin420@lemmy.world 7 months ago
Holy shit beautiful. Now I wanna try it everywhere
1984@lemmy.today 7 months ago
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one. :)
Honytawk@lemmy.zip 7 months ago
There are people who purposely forget their passwords, so they use the “forgot my password” link every time they need to login.
Hard to hack them.
Kolanaki@yiffit.net 7 months ago
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
emptyother@programming.dev 7 months ago
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
Krakatoacoo@lemmy.world 7 months ago
For those who haven’t made accounts yet, you don’t actually have to make an account to play Larian Studios games.
Miclux@lemmings.world 7 months ago
[deleted]lwuy9v5@lemmy.world 7 months ago
what a stupid comment
Dremor@lemmy.world 7 months ago
This post is pending mod review
Hello, c/Games mod here.
For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.
But
In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.
We will review this post later today as it is arguably breaking Rule 1 and Rule 4, as well as being incorrect. in the meantime it will stay up with this pinned message.
AlmightySnoo@lemmy.world 7 months ago
That doesn’t really mean that they store it in plain text. They sent it to you after you finished creating your account, and it’s likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).
ono@lemmy.ca 7 months ago
Your guess is confirmed here.
Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it.
Asudox@lemmy.world 7 months ago
It is still a bad idea to send the password in plaintext via email.
Cabrio@lemmy.world 7 months ago
¿Porque no los dos?
Took them 23 years to fix it last time, seems public awareness would be important in the interim, no?
Cabrio@lemmy.world 7 months ago
Yes, still not worth risking using a duplicate password though.
finestnothing@lemmy.world 7 months ago
Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I’d still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo
wahming@monyet.cc 7 months ago
Applies to every site ever
trustnoone@lemmy.sdf.org 7 months ago
I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it’s not actually stored.
I don’t know if it’s crazy for me to think it’s the same forum from that many years ago, still doing the same thing and getting the same question.
glad_cat@lemmy.sdf.org 7 months ago
We all know that they store it in plain text.
ryannathans@aussie.zone 7 months ago
Came here to say this
ARk@lemm.ee 7 months ago
Well you’re late