476
Larion Studios forum stores your passwords in unhashed plaintext. (lemmy.world)
submitted 1 year ago by Cabrio@lemmy.world to c/games@lemmy.world
180 comments fedilink hide all child comments

Larion Studios forum stores your passwords in unhashed plaintext. Don't use a password there that you've used anywhere else.

top 50 comments
sorted by: hot top controversial new old
[-] Dremor@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Hello, c/Games mod here.

This post has been reviewed as valid by the mod team

For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.

But

In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.

[-] AlmightySnoo@lemmy.world 160 points 1 year ago

That doesn't really mean that they store it in plain text. They sent it to you after you finished creating your account, and it's likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).

[-] ono@lemmy.ca 104 points 1 year ago* (last edited 1 year ago)

Your guess is confirmed here.

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content). After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

...and later...

The forum has been updated to https, and passwords are no longer being sent by email.

Which raises the question of how old OP's screen shot is.

Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it and how Larian's mail servers are set up.

EDIT: I just verified that this behavior has resurfaced since it was originally fixed. OP would do well to responsibly report it, rather than stirring up drama over a web forum account.

[-] Asudox@lemmy.world 20 points 1 year ago* (last edited 1 year ago)

It is still a bad idea to send the password in plaintext via email. You never know when Bard will peek a look and then share your password along users as a demo account to try that forum.

[-] Empricorn@feddit.nl 17 points 1 year ago* (last edited 1 year ago)

There's a lot of reasons why emailing passwords is not the best practice... But AI bots stealing your password to give people free demos is a wild paranoid fever dream.

EDIT: Apparently, I replied to a joke.

load more comments (2 replies)
load more comments (3 replies)
load more comments (1 replies)
[-] Cabrio@lemmy.world 18 points 1 year ago

Yes, still not worth risking using a duplicate password though.

[-] finestnothing@lemmy.world 51 points 1 year ago

Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I'd still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo

[-] Decoy321@lemmy.world 22 points 1 year ago* (last edited 1 year ago)

This is a friendly reminder to everyone that password managers are not risk free either. LastPass was hacked last year, NortonLifeLock earlier this year.

[-] finestnothing@lemmy.world 13 points 1 year ago

Personally the risk of bitwarden is outweighed by its convenience (compared to self hosted/local only solutions) in my opinion, but I know that'll change real quick if bitwarden ever has a breach. If it does I'm jumping ship to a self hosted or local only solution, but I'm hoping that doesn't have to happen

[-] underisk@lemmy.ml 12 points 1 year ago

Bitwarden is end to end encrypted. If the host gets hacked your passwords are still as safe as your master password is. Self hosting wouldn’t really be a huge help there. Possibly even detrimental depending on your level of competence at securing a public facing web host.

load more comments (5 replies)
load more comments (2 replies)
load more comments (1 replies)
load more comments (5 replies)
[-] lowleveldata@programming.dev 99 points 1 year ago

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

[-] TigrisMorte@kbin.social 73 points 1 year ago
[-] Spacecraft@lemmy.world 14 points 1 year ago

I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.

load more comments (1 replies)
load more comments (6 replies)
[-] Ledivin@lemmy.world 34 points 1 year ago* (last edited 1 year ago)

I just wanted to drop a reminder that both LastPass and Norton LifeLock have been hacked within the past year alone.

[-] Kbin_space_program@kbin.social 29 points 1 year ago

KeePass is a thing that exists and is fantastic.

[-] SaltySalamander@kbin.social 26 points 1 year ago

I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.

[-] SomeRandomWords 19 points 1 year ago

Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?

[-] AnonTwo@kbin.social 13 points 1 year ago

I don't know what you're trying to say. I think it was safe to assume Salty probably meant the local-based keepass or something like that?

I wouldn't have immediately gone to text doc or spreadsheet. those aren't password managers.

load more comments (3 replies)
load more comments (1 replies)
[-] lowleveldata@programming.dev 15 points 1 year ago

Use KeePassXC and you can't get hacked

load more comments (1 replies)
load more comments (7 replies)
load more comments (3 replies)
[-] nickwitha_k@lemmy.sdf.org 67 points 1 year ago

That's very unlikely. It's running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it's providing you with a default at sign-up, that's different and is what appears to be a configurable setting.

If it is completely generated for you, here's what probably happening:

  1. User creation module runs a password generator and stores this and the username in memory as string variables.
  2. User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
  3. Either the storage module or another middleware module hashes the password while preparing to store.
  4. Storage module reports success to user creation.
  5. User creation module prints the vars to the welcome template and unloads them from memory.

TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.

[-] Cabrio@lemmy.world 15 points 1 year ago

It sends the user generated password, not an auto generated one.

[-] hex@programming.dev 32 points 1 year ago

Yeah if they send the password in an email in plain text that's not storing it. You can send the email before you store the password while it's still in memory and then hash it and store it.

[-] Cabrio@lemmy.world 14 points 1 year ago* (last edited 1 year ago)

Stored in memory is still stored. It's still unencrypted during data processing. Still bad practice and a security vulnerability at best. Email isn't E2E encrypted.

[-] beefcat@lemmy.world 33 points 1 year ago* (last edited 1 year ago)

there is no possible way to handle sensitive data without storing it in memory at some point

it’s where you do all the salting, hashing, and encrypting

emailing out credentials like this after sign up is certainly not best practice, but probably not a huge deal for a video game forum of all things. if you are re-using passwords then you already have a way bigger problem.

[-] JackbyDev@programming.dev 14 points 1 year ago

emailing out credentials like this after sign up is certainly not best practice,

Understatement of the year right here. Everyone in this thread is more interested in dunking on OP for the few wrong statements they make rather than focusing on the fact that a service is emailing their users their password (not an autogenerated "first time" one) in plaintext in an email.

load more comments (8 replies)
[-] oneiros 23 points 1 year ago

Stored in memory is still stored.

Given what I know about how computers accept user input, I am fascinated to hear what the alternative is.

load more comments (25 replies)
[-] vox@sopuli.xyz 61 points 1 year ago* (last edited 1 year ago)

no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.

[-] Mirodir@discuss.tchncs.de 25 points 1 year ago

...and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.

load more comments (5 replies)
[-] tb_@lemmy.world 22 points 1 year ago* (last edited 1 year ago)

But that still means they had your plaintext password at some point.

Edit: which, as some replies suggest, may not actually be much of an issue.
I'm still skeptical about them returning it, however.

[-] vox@sopuli.xyz 14 points 1 year ago* (last edited 1 year ago)

hashing on client side is considered a bad idea and almost never done.
you actually send your password "in plain text" every time you sign up.

load more comments (5 replies)
load more comments (7 replies)
[-] darkkite@lemmy.ml 20 points 1 year ago

this is still a terrible idea. the system should never know the plaintext password.

logs capture a lot even automated emails. i don't see a single reason to send the user their plaintext password and many reasons why they shouldn't

load more comments (1 replies)
[-] dangblingus@lemmy.world 19 points 1 year ago

I've literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.

What would be the necessity behind emailing someone their own password? Doesn't that defeat the purpose of having a password? Email isn't secure.

[-] wim@lemmy.sdf.org 12 points 1 year ago

I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.

A lot of cottage industry web apps also did the same.

load more comments (1 replies)
load more comments (2 replies)
[-] TheEighthDoctor@lemmy.world 15 points 1 year ago

So it's in plaintext in their email system

load more comments (2 replies)
[-] JackbyDev@programming.dev 13 points 1 year ago

"Kinda a bad idea?" This is fucking insane.

load more comments (1 replies)
[-] jonne@infosec.pub 49 points 1 year ago* (last edited 1 year ago)

Sending your password right after you created it might not be best practice, but it doesn't mean it's stored unhashed in the database. It looks like they're using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.

Looks like they address it here: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

[-] AlmightySnoo@lemmy.world 14 points 1 year ago

it should be pretty straightforward to figure out whether they do or not

Not really since it's closed-source: https://www.ubbcentral.com/

But they seem to have been in business since 1997, so I highly doubt that they'd fuck up the "never store passwords in plain text" rule.

load more comments (3 replies)
[-] hperrin@lemmy.world 49 points 1 year ago

You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.

Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.

load more comments (13 replies)
[-] inclementimmigrant@lemmy.world 47 points 1 year ago* (last edited 1 year ago)

While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn't mean they store your password in their database as plaintext.

[-] JackbyDev@programming.dev 33 points 1 year ago

Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.

[-] Cloodge@lemmy.world 15 points 1 year ago

(and salted before hashing.)

load more comments (2 replies)
load more comments (3 replies)
[-] jeeva@lemmy.world 15 points 1 year ago

Would you accept "in a way that can be reversed"?

[-] Serdan@lemm.ee 14 points 1 year ago

Passwords shouldn't be stored at all though 🤷‍♂️

[-] Vlixz@lemmy.world 14 points 1 year ago

You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!

load more comments (4 replies)
[-] slazer2au@lemmy.world 34 points 1 year ago

Set your password to an EICAR test string and see what else you can brick on their site.

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 28 Sep 2023
476 points (100.0% liked)

Games

32655 readers
973 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Weekly Threads:

What Are You Playing?

The Weekly Discussion Topic

Rules:

  1. Submissions have to be related to games

  2. No bigotry or harassment, be civil

  3. No excessive self-promotion

  4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

  5. Mark Spoilers and NSFW

  6. No linking to piracy

More information about the community rules can be found here.

founded 1 year ago
MODERATORS
quinten@lemmy.world
shitpostpolice@lemmy.world
Dremor@lemmy.world
Dremor@jlai.lu