Comment

Comment on Larion Studios forum stores your passwords in unhashed plaintext.

AlmightySnoo@lemmy.world ⁨8⁩ ⁨months⁩ ago

That doesn’t really mean that they store it in plain text. They sent it to you after you finished creating your account, and it’s likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).

source

Sort:hotnew top

ono@lemmy.ca ⁨8⁩ ⁨months⁩ ago
Your guess is confirmed here.

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content). After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it.

source
- Asudox@lemmy.world ⁨8⁩ ⁨months⁩ ago
  It is still a bad idea to send the password in plaintext via email.
  
  source
  - Empricorn@feddit.nl ⁨8⁩ ⁨months⁩ ago
    There’s a lot of reasons why emailing passwords is not the best practice… But AI bots stealing your password to give people free demos is a wild paranoid fever dream.
    
    source
    Asudox@lemmy.world ⁨8⁩ ⁨months⁩ ago
    It is meant to be as a joke, of course the AI is not that dumb enough to give it away as free demo. Why am I being downvoted? Why don’t people understand jokes these days? Do I always have to include /s when making a sarcastic joke?
    
    source
    -> View More Comments
  - ono@lemmy.ca ⁨8⁩ ⁨months⁩ ago
    Nobody suggested otherwise.
    
    source
  - nogooduser@lemmy.world ⁨8⁩ ⁨months⁩ ago
    You should always change your password from the system generated one to prevent that from happening. The app that you signed up for should enforce that by making you change your password when you log in.
    
    source
    Cabrio@lemmy.world ⁨8⁩ ⁨months⁩ ago
    It’s not a system generated one they sent, it was user generated.
    
    source
- Cabrio@lemmy.world ⁨8⁩ ⁨months⁩ ago
  
  OP would do well to responsibly report it, rather than stirring up drama over a web forum account.
  
  ¿Porque no los dos?
  
  Took them 23 years to fix it last time, seems public awareness would be important in the interim, no?
  
  source
Cabrio@lemmy.world ⁨8⁩ ⁨months⁩ ago
Yes, still not worth risking using a duplicate password though.

source
- finestnothing@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I’d still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo
  
  source
  - Decoy321@lemmy.world ⁨8⁩ ⁨months⁩ ago
    This is a friendly reminder that password managers are not risk free either. LastPass was hacked last year, NortonLifeLock earlier this year.
    
    source
    finestnothing@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Personally the risk of bitwarden is outweighed by its convenience (compared to self hosted/local only solutions) in my opinion, but I know that’ll change real quick if bitwarden ever has a breach. If it does I’m jumping ship to a self hosted or local only solution, but I’m hoping that doesn’t have to happen
    
    source
    neatchee@lemmy.world ⁨8⁩ ⁨months⁩ ago
    This is why I don’t use a common centralized password manager, just like I don’t use any of the most popular remote desktop solutions like TeamViewer for unattended access.
    
    I run a consumer copy of Pleasant Password Manager out of AWS and use NoMachine for unattended access to any machines where I need it.
    
    Security through obscurity is tried and true. Put as little of your security attack surface in the hands of others as is reasonable.
    
    source
- wahming@monyet.cc ⁨8⁩ ⁨months⁩ ago
  Applies to every site ever
  
  source
trustnoone@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago
I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it’s not actually stored.

I don’t know if it’s crazy for me to think it’s the same forum from that many years ago, still doing the same thing and getting the same question.

source
glad_cat@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago
We all know that they store it in plain text.

source
ryannathans@aussie.zone ⁨8⁩ ⁨months⁩ ago
Came here to say this

source
- ARk@lemm.ee ⁨8⁩ ⁨months⁩ ago
  Well you’re late
  
  source
  - ryannathans@aussie.zone ⁨8⁩ ⁨months⁩ ago
    I’m good thanks
    
    source