476
submitted 1 year ago by Cabrio@lemmy.world to c/games@lemmy.world

Larion Studios forum stores your passwords in unhashed plaintext. Don't use a password there that you've used anywhere else.

you are viewing a single comment's thread
view the rest of the comments
[-] lwuy9v5@lemmy.world 10 points 1 year ago
[-] Miclux@lemmings.world 8 points 1 year ago

Show me where the proof is that they STORE it plain text. This is just a screen of a mail after creating an account.

[-] Cabrio@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

They can't send it if they haven't stored it, that's the proof. Whether temporary or not it's a weakness and attack vector for obtaining unhashed passwords. And if they stored it, it should be immediately hashed at which point they can't send it.

[-] rikudou@lemmings.world 10 points 1 year ago

That... is not how it works. It is usually hashed and at the same time an email is sent. Meaning it's not stored plaintext in any storage.

[-] redcalcium@lemmy.institute 2 points 1 year ago

Plenty of website did this... more than a decade ago, and even then plenty of security conscious people writing blogs and posting on social media begging devs to stop doing this.

[-] Cabrio@lemmy.world 2 points 1 year ago

You'll forgive me for not trusting anyone who can tell me my password that isn't me.

[-] Miclux@lemmings.world 4 points 1 year ago

That's a totally different statement than that in your post.

[-] Cabrio@lemmy.world 1 points 1 year ago
[-] Miclux@lemmings.world 3 points 1 year ago

Arguing is not your thing, buddy? 🤡

[-] Cabrio@lemmy.world 1 points 1 year ago

If self awareness was a disease you'd be the healthiest person alive.

[-] towerful@programming.dev 4 points 1 year ago* (last edited 1 year ago)

They can still send it while the value is in memory.
But it's unlikely that emails are sent synchronously. At which point, it has to be added to a job queue somewhere which might not be in memory.
There is also the communication with that job queue, and logging along the way, and any email logging.
Email isn't secure, either.

So, it bad practice regardless.

Thankfully larian did address this, and fixed the issue as pointed out by another commenter.
Addressed here, with the follow up of fixing it:
https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

And that was back in 2020. 3 years ago.

[-] Miclux@lemmings.world 3 points 1 year ago

It's so sad that you spread misinformation based on your inadequate knowledge.

[-] vox@sopuli.xyz 3 points 1 year ago* (last edited 1 year ago)

they can send it without storing. In fact a lot of websites (mostly small outdated forum systems) send your password to your email before storing it.

this post was submitted on 28 Sep 2023
476 points (100.0% liked)

Games

32655 readers
889 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Weekly Threads:

What Are You Playing?

The Weekly Discussion Topic

Rules:

  1. Submissions have to be related to games

  2. No bigotry or harassment, be civil

  3. No excessive self-promotion

  4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

  5. Mark Spoilers and NSFW

  6. No linking to piracy

More information about the community rules can be found here.

founded 1 year ago
MODERATORS