Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
Don’t use a password
therethat you’ve used anywhere else
Just get a password manager already
Submitted 1 year ago by Cabrio@lemmy.world to games@lemmy.world
https://lemmy.world/pictrs/image/6a3f7bd4-8bec-46c8-9330-a51ab51fb609.png
Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
Don’t use a password
therethat you’ve used anywhere else
Just get a password manager already
I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.
BitWarden is awesome. Been using it since 2 of my colleagues went to work for them
How is this better than Firefox built-in password manager?
I just wanted to drop a reminder that both LastPass and Norton LifeLock were hacked within the past year alone.
KeePass is a thing that exists and is fantastic.
I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.
Use KeePassXC and you can’t get hacked
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
And at least for LastPass no passwords were compromised. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
One vote for 1Password here.
I literally trust them with my life. Agreed.
That’s very unlikely. It’s running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it’s providing you with a default at sign-up, that’s different and is what appears to be a configurable setting.
If it is completely generated for you, here’s what probably happening:
TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.
It sends the user generated password, not an auto generated one.
Yeah if they send the password in an email in plain text that’s not storing it. You can send the email before you store the password while it’s still in memory and then hash it and store it.
no, they dont.
they just send it to your email upon registration.
…and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.
Automatically generated emails usually don’t get saved.
But that still means they had your plaintext password at some point.
hashing on client side is considered a bad idea and almost never done.
Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.
That’s fine and normal
Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.
I’ve literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.
What would be the necessity behind emailing someone their own password? Doesn’t that defeat the purpose of having a password? Email isn’t secure.
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
Idk if I’m misremembering, but it’s my impression that they did this a lot in the 2000s, haha. I guess bad practices have a habit of sticking around
I’ve had service providers physically mail my own password to me before. Just crazy.
Always use unique passwords for every site.
So it’s in plaintext in their email system
Generated emails usually don’t get saved, as soon as it is delivered it will be gone.
these emails don’t usually get copied to local outbox folder (as any oher auto generated emails)
“Kinda a bad idea?” This is fucking insane.
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they stole your password in their database as plaintext.
Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.
Just because they send out the password does not mean it’s not hashed. They could send the email before hashing.
Would you accept “in a way that can be reversed”?
It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.
Passwords shouldn’t be stored at all though 🤷♂️
You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!
You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
My bank has a character limit, but they don’t tell you about it; they just trim the password you’ve set before hashing + saving it, then when you go to login if you don’t trim your password the same way they did, login fails.
I only know this because the mobile app will actually grey out the login button as soon as you enter more than the character limit. The web app just leaves you to be confused.
Especially if they have a maximum password length.
Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.
Sending your password right after you created it might not be best practice, but it doesn’t mean it’s stored unhashed in the database. It looks like they’re using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.
it should be pretty straightforward to figure out whether they do or not
Not really since it’s closed-source: www.ubbcentral.com
But they seem to have been in business since 1997, so I highly doubt that they’d fuck up the “never store passwords in plain text” rule.
Set your password to an EICAR test string and see what else you can brick on their site.
Holy shit beautiful. Now I wanna try it everywhere
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one. :)
There are people who purposely forget their passwords, so they use the “forgot my password” link every time they need to login.
Hard to hack them.
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
For those who haven’t made accounts yet, you don’t actually have to make an account to play Larian Studios games.
what a stupid comment
Hello, c/Games mod here.
For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.
In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.
AlmightySnoo@lemmy.world 1 year ago
That doesn’t really mean that they store it in plain text. They sent it to you after you finished creating your account, and it’s likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).
ono@lemmy.ca 1 year ago
Your guess is confirmed here.
Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it.
Asudox@lemmy.world 1 year ago
It is still a bad idea to send the password in plaintext via email.
Cabrio@lemmy.world 1 year ago
¿Porque no los dos?
Took them 23 years to fix it last time, seems public awareness would be important in the interim, no?
Cabrio@lemmy.world 1 year ago
Yes, still not worth risking using a duplicate password though.
finestnothing@lemmy.world 1 year ago
Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I’d still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo
wahming@monyet.cc 1 year ago
Applies to every site ever
trustnoone@lemmy.sdf.org 1 year ago
I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it’s not actually stored.
I don’t know if it’s crazy for me to think it’s the same forum from that many years ago, still doing the same thing and getting the same question.
glad_cat@lemmy.sdf.org 1 year ago
We all know that they store it in plain text.
ryannathans@aussie.zone 1 year ago
Came here to say this
ARk@lemm.ee 1 year ago
Well you’re late