Submitted 1 year ago by JackbyDev@programming.dev to programming@programming.dev
https://lemmy.world/post/5925545
This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.
Just wow, yeah. Nothing should ever send you a password in cleartext - once that’s been done, a MITM attack’s success rate just went to 100%.
It’s painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.
hunter2
Why did you put a bunch of asterisks at the bottom of your post?
I’m delighted you get the reference!
An issue if you’re reusing passwords. If not, every forgot my password email is also vulnerable.
A combination of bad practices could be… bad.
It’s painless to use password resets
Ya and have they send you the (one-time) password in plaintext
(one-time)
You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.
In my experience it’s always a tokenized link, no clear text required.
Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.
I no longer use Sprint
I mean, nobody else does either.
I think the OP of that post would have had a better reception if they had:
People in that thread responded with skepticism and criticism to an irresponsible, misdirected, misleading, alarmist mess of a post. That’s hardly surprising.
This was hashed out pretty thoroughly in that thread.
The initial concern over the password being stored in plaintext was shown to be a mistaken assumption, and it was made clear that this kind of email doesn’t happen anymore, it’s an outdated problem.
No need to keep the discussion going past that, is there? Much less spread it around?
Sending passwords via email Will compromise any passwords sent via email. Regardless if the password is stored anywhere in the process if the password is sent via email it is compromised and no longer safe to use. Email is not end and encrypted you have no idea who’s running the mail exchange servers that your email follows, it’s entirely possible for this company to store that password in a log dealing with their email servers. Password sent via email should be considered immediately compromised and any sites following a practice like this should not be trusted with standard passwords which you shouldn’t be using anyway.
Right, and everyone agreed that wasn’t the greatest practice. Two years ago.
This thread from two days ago was bringing attention to an issue that was fixed two years ago, and calling it out as if it was a different problem than it was.
It’s good to have discussions about security best practices, but this thread is pointless. This problem is simply not there anymore.
Sending passwords via email Will compromise any passwords sent via email.
From the sounds of it, this was a password that the server randomly generated, so it’s never been used before, and you are forced to reset the password as soon as you use it, so it’ll never be used again.
Sending passwords via email Will compromise any passwords sent via email.
100%. But that is a different problem and a different attack vector than storing passwords in plain text for authentication. When reporting security issues, it’s important to be precise.
hashed out
heheh
People weren’t really nitpicking.
it does not mean the passwords were stored in plaintext
This is debatable. Yes, there is a chance the email is being generated and sent on the fly, before the password is stored. But in situations like this there is a much larger chance it’s being stored in plain text.
They have said it is being hashed for storage: forums.larian.com/ubbthreads.php?ubb=showflat&…
I can’t fault the OP though, if I received such an email I would assume it is stored in plain text and be similarly upset.
Also if they store a copy of that email they’re effectively storing the password in plaintext even if they e properly made a salty hash brown for the database.
But in situations like this there is a much larger chance it’s being stored in plain text.
I suppose, but OP said in the title that the passwords were being stored in plaintext, despite that not being the case.
Why wouldn’t it be generated and sent immediately? If someone has the inclination to do this type of thing, they probably also want to do things synchronously and immediately.
Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring [the actual point]
This is the experience working in a professional software development setting, yes.
Everyone seems more interested in nitpicking
Actually, not everyone in that thread is nitpicking. There’s one comment that’s just a helpful hint.
But yes, nitpicking is fun. I’ll see myself out.
No, I’ll allow it, this is a good post. Not even being sarcastic, did me a grin haha
Everyone seems more interested in nitpicking the specifics of what OP is saying
Yep. That’s how security works. You have to nitpick the specifics.
The hard reality is nobody has ever invented a perfectly secure authentication system that is easy to use (for example, allows easy recovery when people forget their password which for any large service will be tens of millions of times per day).
But the thing is that you should never have access to the plaintext password and thus you should never be able to receive it in an email. You should store the salted hash of the password instead of the password itself.
These kind of forums don’t store the plaintext password, they send an email while in memory, and hash them afterwards. Still bad security, but it’s not storing it in plaintext.
When I say “nitpicking the specifics” I mean OP is saying things like the password should never be unencrypted in memory in the same comment as mentioning things like the password in plaintext in the email and folks are more interested in browbeating over the first thing rather than acknowledging the second as a problem. I see this behavior far too often in tech spaces online. People are often more concerned with being pedantic and technically correct than anything else.
The person you’re responding is doing the exact same thing you are complaining about, and finished their comment with something obviously wrong. They are not arguing in good faith
Uh, I seem to recall this happening when I made a Larian account. What happens is you give them your email, they make your account, and email you a temporary password. The temp password is shown in plaintext, as the email shows. Once I saw the email, I logged in to finalize my account and change my password to something secure. It’s not the most modern process, but I wasn’t really that concerned either.
OP misspoke, lied, or it was different when you joined then.
This was just recently since BG3 came out. Since I first saw this drama I was pretty sure OP was misrepresenting the situation.
OP of that thread was talking about how (they think) the password was stored in plain text instead of this “tree” you’re talking about. The discussion on that was not a nitpick.
The forest is bad practice with passwords, since you get an email of your password after setting it.
The tree is OP not knowing how to describe why it’s bad and saying the wrong reason why.
I mean, there were a lot of forests in that thread. Like how it was an old screenshot and they don’t do it these emails anymore. Or you shouldn’t re-use passwords anyways. I don’t blame people for missing 1 or 2 forests.
The number of people accepting email for some magic thing without in-between mechanisms is ridiculous. If it's sent in an email you should 100% consider it to be stored in plaintext in multiple places. There is incredible amount of machinery between your mail() call and the end user reading that email, on both the sending and receiving end. For example, my spam filter (rspamd) will likely store a copy of it for a while, and that's not unique to it.
What's in the database is not really relevant. Only the worst instance of storage counts.
A sad truth and sadly not uncommon. Some people seem to get a kick out of showing of how much “smarter” they are than the next person, side tracking the whole conversation in the process. I really don’t get why someone would think that’s called for.
It’s not “side tracking” when the thing being corrected is literally in the title of the post.
If you’re following proper security procedures you wouldn’t be using the same password for anything else, so they are overly concerned about the wrong things while parading being top notch security wise while not doing it themselves.
Yeah it’s an issue, but only an issue if you’ve set yourself up to be vulnerable.
I agree. Unfortunately many folks who are attracted to security issues and topics don't have a great holistic view of things. The idea of security is that something can go wrong and you are still ok, and that you apply context appropriate measures. Of course sending a password through email isn't good, but it's a gaming forum. A security conscious individual should have randomly generated passwords for everything and no reuse. Likewise, it wasn't a bank or a security company, it was an old forum software for public discussions, so contextually this isn't a top concern.
The cherry on top is that it appears to have been an old screenshot and already addressed.
Its weird how there seems to be a group dedicated to creating and subsequently reporting on imagined faults within Larian. There have been a few articles and now that guy who used an out of date screenshot to make an unfounded claim.
They aren't perfect, and there are a fair number of things issues in BG3.
Like that it has a number of the same issues as their previous game, Divinity Original Sin 2. Suggesting that they didn't see those issues as issues, or didn't see a need to change their process to correct them.
It’s criticism directed at a service provider, not users. Service providers should assume users reuse passwords. Security is about protecting everyone.
Than direct it at the service provider? Oh wait it got fixed a while ago.
Also where does their liability stop? Should they also just assume everyone is compromised? Where does the users onus come into play? I guess they shouldn’t send password resets than, since they should assume that their email is compromised already….
Yeah that’s actually a terrible idea if they must assume that they must protect everyone. Sorry can’t reset your password your email must be compromised.
The only issue I can see is why are you sending the password to the person in the email at all just seems redundant… I think I may have run into a tree though.
As frustrating as it is, it is a gaming community. I’d be mortified if it were a cybersecurity or experienced developer community.
Then you realize that some of the game-related 2fa apps out there are more secure than a lot of online banking credentials.
Definitely. You don’t send passwords, ever, even if it’s encrypted by a quantic email server from the future.
mosiacmango@lemm.ee 1 year ago
Larian stated on their forum they fixed this behavior and shifted to https 3 years ago. When this was linked several times in thread, people asked OP when this screenshot occured, OP ignored the questions. Pretty clear that this is a very old screenshot of what is now a non issue.
What’s to discuss besides OP trying to stir up drama about issues that were resolved years ago?
Pyroglyph@lemmy.world 1 year ago
What do you mean? It says “0 minutes ago”! Clearly it’s very recent! /s
BigDanishGuy@sh.itjust.works 1 year ago
Yeah this is the internet, not lame stream media that lies to you. /r
ono@lemmy.ca 1 year ago
FWIW, it’s not fixed as of today. (Maybe Larian patched the vendor code 3 years ago and it resurfaced when they installed a new version?) Regardless, the post in question was bad reporting, as I detailed in another comment here.
elbarto777@lemmy.world 1 year ago
Are you saying that the parent poster is giving incorrect information?
abbadon420@lemm.ee 1 year ago
It’s still an interesting case to discuss and learn about. We don’t ignore and forget about ww2, just because it’s over, do we?!
Marzepansion@programming.dev 1 year ago
It’s disingenuous to pass off ww2 as a current event though.