Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
Don’t use a password
therethat you’ve used anywhere else
Just get a password manager already
Larion Studios forum stores your passwords in unhashed plaintext.
Submitted 1 year ago by Cabrio@lemmy.world to games@lemmy.world
https://lemmy.world/pictrs/image/6a3f7bd4-8bec-46c8-9330-a51ab51fb609.png
Comments
lowleveldata@programming.dev 1 year ago
TigrisMorte@kbin.social 1 year ago
Spacecraft@lemmy.world 1 year ago
I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.
miroppb@kbin.social 1 year ago
BitWarden is awesome. Been using it since 2 of my colleagues went to work for them
brb@sh.itjust.works 1 year ago
How is this better than Firefox built-in password manager?
Ledivin@lemmy.world 1 year ago
I just wanted to drop a reminder that both LastPass and Norton LifeLock were hacked within the past year alone.
Kbin_space_program@kbin.social 1 year ago
KeePass is a thing that exists and is fantastic.
SaltySalamander@kbin.social 1 year ago
I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.
lowleveldata@programming.dev 1 year ago
Use KeePassXC and you can’t get hacked
neatchee@lemmy.world 1 year ago
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
Vash63@lemmy.world 1 year ago
And at least for LastPass no passwords were compromised. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
dpkonofa@lemmy.world 1 year ago
One vote for 1Password here.
CuddlyCassowary@lemmy.world 1 year ago
I literally trust them with my life. Agreed.
nickwitha_k@lemmy.sdf.org 1 year ago
That’s very unlikely. It’s running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it’s providing you with a default at sign-up, that’s different and is what appears to be a configurable setting.
If it is completely generated for you, here’s what probably happening:
- User creation module runs a password generator and stores this and the username in memory as string variables.
- User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
- Either the storage module or another middleware module hashes the password while preparing to store.
- Storage module reports success to user creation.
- User creation module prints the vars to the welcome template and unloads them from memory.
TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.
Cabrio@lemmy.world 1 year ago
It sends the user generated password, not an auto generated one.
hex@programming.dev 1 year ago
Yeah if they send the password in an email in plain text that’s not storing it. You can send the email before you store the password while it’s still in memory and then hash it and store it.
vox@sopuli.xyz 1 year ago
no, they dont.
they just send it to your email upon registration.Mirodir@discuss.tchncs.de 1 year ago
…and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.
Thadrax@lemmy.world 1 year ago
Automatically generated emails usually don’t get saved.
tb_@lemmy.world 1 year ago
But that still means they had your plaintext password at some point.
vox@sopuli.xyz 1 year ago
hashing on client side is considered a bad idea and almost never done.
Kilamaos@lemmy.world 1 year ago
Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.
That’s fine and normal
Hexarei@programming.dev 1 year ago
Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.
dangblingus@lemmy.world 1 year ago
I’ve literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.
What would be the necessity behind emailing someone their own password? Doesn’t that defeat the purpose of having a password? Email isn’t secure.
wim@lemmy.sdf.org 1 year ago
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
benjacoblee@lemmy.world 1 year ago
Idk if I’m misremembering, but it’s my impression that they did this a lot in the 2000s, haha. I guess bad practices have a habit of sticking around
EssentialCoffee@midwest.social 1 year ago
I’ve had service providers physically mail my own password to me before. Just crazy.
Always use unique passwords for every site.
TheEighthDoctor@lemmy.world 1 year ago
So it’s in plaintext in their email system
Thadrax@lemmy.world 1 year ago
Generated emails usually don’t get saved, as soon as it is delivered it will be gone.
vox@sopuli.xyz 1 year ago
these emails don’t usually get copied to local outbox folder (as any oher auto generated emails)
JackbyDev@programming.dev 1 year ago
“Kinda a bad idea?” This is fucking insane.
Umbraveil@lemmy.world 1 year ago
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
inclementimmigrant@lemmy.world 1 year ago
While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they stole your password in their database as plaintext.
JackbyDev@programming.dev 1 year ago
Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.
Michal@programming.dev 1 year ago
Just because they send out the password does not mean it’s not hashed. They could send the email before hashing.
jeeva@lemmy.world 1 year ago
Would you accept “in a way that can be reversed”?
tonkatwuck@lemmynsfw.com 1 year ago
It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.
Serdan@lemm.ee 1 year ago
Passwords shouldn’t be stored at all though 🤷♂️
Vlixz@lemmy.world 1 year ago
You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!
hperrin@lemmy.world 1 year ago
You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
icedterminal@lemmy.world 1 year ago
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
Darkassassin07@lemmy.ca 1 year ago
My bank has a character limit, but they don’t tell you about it; they just trim the password you’ve set before hashing + saving it, then when you go to login if you don’t trim your password the same way they did, login fails.
I only know this because the mobile app will actually grey out the login button as soon as you enter more than the character limit. The web app just leaves you to be confused.
exal@lemmy.ca 1 year ago
Especially if they have a maximum password length.
Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.
jonne@infosec.pub 1 year ago
Sending your password right after you created it might not be best practice, but it doesn’t mean it’s stored unhashed in the database. It looks like they’re using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.
AlmightySnoo@lemmy.world 1 year ago
it should be pretty straightforward to figure out whether they do or not
Not really since it’s closed-source: www.ubbcentral.com
But they seem to have been in business since 1997, so I highly doubt that they’d fuck up the “never store passwords in plain text” rule.
slazer2au@lemmy.world 1 year ago
Set your password to an EICAR test string and see what else you can brick on their site.
CurlyMoustache@lemmy.world 1 year ago
sysadmin420@lemmy.world 1 year ago
Holy shit beautiful. Now I wanna try it everywhere
1984@lemmy.today 1 year ago
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one. :)
Honytawk@lemmy.zip 1 year ago
There are people who purposely forget their passwords, so they use the “forgot my password” link every time they need to login.
Hard to hack them.
Kolanaki@yiffit.net 1 year ago
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
emptyother@programming.dev 1 year ago
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
Krakatoacoo@lemmy.world 1 year ago
For those who haven’t made accounts yet, you don’t actually have to make an account to play Larian Studios games.
Miclux@lemmings.world 1 year ago
[deleted]lwuy9v5@lemmy.world 1 year ago
what a stupid comment
Dremor@lemmy.world 1 year ago
This post is pending mod review
Hello, c/Games mod here.
For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.
But
In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.
We will review this post later today as it is arguably breaking Rule 1 and Rule 4, as well as being incorrect. in the meantime it will stay up with this pinned message.
AlmightySnoo@lemmy.world 1 year ago
That doesn’t really mean that they store it in plain text. They sent it to you after you finished creating your account, and it’s likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).
ono@lemmy.ca 1 year ago
Your guess is confirmed here.
Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it.
Asudox@lemmy.world 1 year ago
It is still a bad idea to send the password in plaintext via email.
Cabrio@lemmy.world 1 year ago
¿Porque no los dos?
Took them 23 years to fix it last time, seems public awareness would be important in the interim, no?
Cabrio@lemmy.world 1 year ago
Yes, still not worth risking using a duplicate password though.
finestnothing@lemmy.world 1 year ago
Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I’d still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo
wahming@monyet.cc 1 year ago
Applies to every site ever
trustnoone@lemmy.sdf.org 1 year ago
I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it’s not actually stored.
I don’t know if it’s crazy for me to think it’s the same forum from that many years ago, still doing the same thing and getting the same question.
glad_cat@lemmy.sdf.org 1 year ago
We all know that they store it in plain text.
ryannathans@aussie.zone 1 year ago
Came here to say this
ARk@lemm.ee 1 year ago
Well you’re late