This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.
Larian stated on their forum they fixed this behavior and shifted to https 3 years ago. When this was linked several times in thread, people asked OP when this screenshot occured, and OP ignored the questions. Pretty clear that this is a very old screenshot of what is now a non issue.
What’s to discuss besides OP trying to stir up drama about issues that were resolved years ago?
this is a very old screenshot
What do you mean? It says “0 minutes ago”! Clearly it’s very recent! /s
FWIW, it’s not fixed. The screen shot may very well be recent.
(The post in question was still bad reporting, though, for the reasons I detailed in my other comment here.)
Are you saying that the parent poster is giving incorrect information?
Edit: Oy, straight from their membership administration docs (emphasis mine):
Additionally, using the buttons below, you can delete the user, email the user’s password to him/her, (etc)
Are you saying that the parent poster is giving incorrect information?
Yes. mosiacmango’s comment repeated what others had already said (right down to specific words that I used in the original thread and here), and then jumped to this conclusion:
Pretty clear that this is a very old screenshot of what is now a non issue.
Everything about that statement is false. While the circumstances made it seem likely that the screenshot was old, it was not clearly so, and in fact, it turns out the issue is still present. I checked it. A registration email from the test I ran yesterday looked just like the screenshot in question, cleartext password and all.
Given that Larian reported the issue fixed three years ago, it’s possible that they fixed it locally and some time later upgraded to a new version of the forum software, thereby overwriting the local fix. Perhaps mosiacmango should have considered that before posting incorrect speculation as if it were fact.
It’s still an interesting case to discuss and learn about. We don’t ignore and forget about ww2, just because it’s over, do we?!
Just wow, yeah. Nothing should ever send you a password in cleartext - once that’s been done, a MITM attack’s success rate just went to 100%.
It’s painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.
hunter2
I’d be more worried if someone who uses the internet to such a degree that they use Lemmy over Reddit, on a programming forum, didn’t get the reference. This is famous hacker lore at this point.
It’s painless to use password resets
Ya and have they send you the (one-time) password in cleartext
(one-time)
You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.
Well, the tokenized link is essentially a clear text one time password. Not really any better than just a one time password except for the convenience that the user does not need to type it in. If someone gets hold of the link or password before you they can get access to your account.
Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.
MITM attack’s success rate just went to 100%
No, it didn’t. It’s stupid and shouldn’t be done, but all ham nowadays is encrypted.
I know that because I’ve been running my email server for some years now, technically breaking one of the RFCs for not allowing unencrypted connections. Zero email has been missed.
While I agree that likely most SMTP traffic is sent encrypted these days, you simply cannot be sure. Just because you received something over an encrypted connection doesn’t mean that relays in between also used this. The webserver could have handed over the email unencrypted to an SMTP server for all you know. And even if an encrypted connection was used the mail might still have been copied to a log on the SMTP server. Email is unfortunately inherently unsafe.
I think the OP of that post would have had a better reception if they had:
- Responsibly disclosed what they found, rather than using it to stir up drama on social media.
- Mentioned that it’s just a web forum account, not connected to game accounts or anything else of value.
- Targeted the software vendor (https://www.ubbcentral.com/) instead of picking on one particular customer who used that software.
- Refrained from spreading misconceptions and unfounded assumptions about how the technology works.
- Responded to the reasonable follow-up questions, such as those that came when readers discovered that the problem was reported fixed three years ago.
People in that thread responded with skepticism and criticism to an irresponsible, misdirected, misleading, alarmist mess of a post. That’s hardly surprising.
This was hashed out pretty thoroughly in that thread.
The initial concern over the password being stored in plaintext was shown to be a mistaken assumption, and it was made clear that this kind of email doesn’t happen anymore, it’s an outdated problem.
No need to keep the discussion going past that, is there? Much less spread it around?
Sending passwords via email Will compromise any passwords sent via email. Regardless if the password is stored anywhere in the process if the password is sent via email it is compromised and no longer safe to use. Email is not end and encrypted you have no idea who’s running the mail exchange servers that your email follows, it’s entirely possible for this company to store that password in a log dealing with their email servers. Password sent via email should be considered immediately compromised and any sites following a practice like this should not be trusted with standard passwords which you shouldn’t be using anyway.
Right, and everyone agreed that wasn’t the greatest practice. Two years ago.
This thread from two days ago was bringing attention to an issue that was fixed two years ago, and calling it out as if it was a different problem than it was.
It’s good to have discussions about security best practices, but this thread is pointless. This problem is simply not there anymore.
Email isn’t end to end encrypted but, but it generally is encrypted. The people who will have it are the sender (who already have the password since they created it) and whoever runs the recipient’s mail server. Which is hopefully someone the recipient trusts.
From the sounds of it, this was a password that the server randomly generated, so it’s never been used before, and you are forced to reset the password as soon as you use it, so it’ll never be used again and they do treat it as “immediately compromised”.
Hardly state of the art security, but it also doesn’t really have any major problems… especially since this is for a forum.
People weren’t really nitpicking.
- it’s obviously bad to send an email with a plaintext password
- the website owners had apparently already resolved the issue
- it does not mean the passwords were stored in plaintext
- the OP sounds like a skiddie in a bunch of comments and doesn’t seem to understand how most websites with auth work
it does not mean the passwords were stored in plaintext
This is debatable. Yes, there is a chance the email is being generated and sent on the fly, before the password is stored. But in situations like this there is a much larger chance it’s being stored in plain text.
They have said it is being hashed for storage: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268
I can’t fault the OP though, if I received such an email I would assume it is stored in plain text and be similarly upset.
Reversible hashed password storage isn’t meaningfully better than clear text.
- The key to reverse the hash is typically (necessarily) stored in the same infrastructure as the password. Bad actors with access to one have access to the combination.
- Even if an attacker fails to exfiltrate the key to the reversible hash, it’s typically only a matter of days at the most before they can reverse engineer it, and produce plain text copies of every password they obtained the hash of.
A reversible hash provides a paper thin layer of protection against accidental disclosure. A one way hash is widely considered the bare minimum for password storage.
Anyone claiming a password has been protected, and then being able to produce the original password, is justly subject to ridicule in security communities.
But in situations like this there is a much larger chance it’s being stored in plain text.
I suppose, but OP said in the title that the passwords were being stored in plaintext, despite that not being the case.
Using “we use a reversible hash” to claim “we don’t store passwords in plain text” is the “corn syrup is not sugar” of the cybersecurity world.
It’s technically correct, while also a bald faced lie.
Also if they store a copy of that email they’re effectively storing the password in plaintext even if they e properly made a salty hash brown for the database.
Why wouldn’t it be generated and sent immediately? If someone has the inclination to do this type of thing, they probably also want to do things synchronously and immediately.
Because one egregious decision normally begets another.
Look at it this way, if you walk into a pizza joint and there are roaches wandering around on the walls, is it not more likely the food is also unsafe to eat?
Yes, this could just be one horrible decision, but this decision shows you where the mind of the developer/team was when thinking through their security.
