Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.

  • @inclementimmigrant
    link
    English
    36
    edit-2
    9 months ago

    While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they store your password in their database as plaintext.

    • JackbyDev
      cake
      link
      fedilink
      English
      319 months ago

      Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.

      • @Cloodge
        link
        English
        159 months ago

        (and salted before hashing.)

        • @Dicska
          link
          English
          119 months ago

          And marinated in butter milk.

          • @Cloodge
            link
            English
            29 months ago

            Peppered if you’re feeling extra

      • @[email protected]
        link
        fedilink
        English
        89 months ago

        Just because they send out the password does not mean it’s not hashed. They could send the email before hashing.

        • JackbyDev
          cake
          link
          fedilink
          English
          59 months ago

          You’re correct and after reading more of the thread I saw OP say this was sent immediately after registering. I don’t have reason to believe it is stirred in plaintext unless they’re storing s copy of every email they send.

    • @jeeva
      link
      English
      149 months ago

      Would you accept “in a way that can be reversed”?

      • @[email protected]
        link
        fedilink
        English
        29 months ago

        It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.

        • @Serinus
          link
          English
          19 months ago

          I don’t know why you’d give them any benefit of the doubt. They should have already killed that with this terrible security practice.

          But yeah, sure, maybe this one giant, extremely visible lapse in security is the only one they have.

          • @[email protected]
            link
            fedilink
            English
            09 months ago

            I’m just explaining how user authentication works for most web applications. The server will process your plaintext password when your account is created. It should then store that as a hashed string, but it can ALSO send out an email with that plaintext password to the user describing their account creation. This post does not identify that passwords are stored in plaintext, it just identifies that they email plaintext passwords which is poor security practice.

            • @Serinus
              link
              English
              19 months ago

              This particular poor security practice is very much like a roach. If you see one you have a bigger problem.

              See, I can also repeat myself as though you didn’t understand the first time.

      • @Vlixz
        link
        English
        129 months ago

        You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!

          • @Vlixz
            link
            English
            4
            edit-2
            9 months ago

            My bad! I just misunderstood >⁠.⁠<

        • @TheFogan
          link
          English
          29 months ago

          Point is, a hash isn’t a password. giving the most you don’t need tech knowledge analogy, it’s like the passwords fingerprint.

          The police station may keep your daughters fingerprint so that if they find a lost child they can recognize it is your daughter beyond any doubt. Your daughters fingerprints, is like a hash, your daughter is a password.

          The police should not store your daughter… that’s bad practice. The fingerprints are all they should store, and needless to say the fingerprints aren’t your daughter, just as a hash isn’t a password.