All passwords saved as plaintext, not encrypted

View previous topic View next topic Go down

All passwords saved as plaintext, not encrypted

Post by RazorLeafAttack on Mon 11 Sep 2017 - 12:39

Hi all, my account was recently closed due to inactivity. Upon re-registering I was surprised to see that my email address was sent to me along with my password in plaintext. This does pose a security concern for people who use the same password for other sites. More info can be found here: http://plaintextoffenders.com

Don't know exactly who is in charge of the actual site maintenance and upkeep, but this is something that people should at least be aware of so you aren't using the same password here as elsewhere. And if this old format of username/password storage can be updated to more current security protocols, that would certainly be great too.

RazorLeafAttack
Newcomer

Since : 2017-09-11

Back to top Go down

Re: All passwords saved as plaintext, not encrypted

Post by SePH on Mon 11 Sep 2017 - 14:02

This forum already has an ssl certificate active for at least 150 more days and password encryptions are done server side.

This email is only sent to you the member and it's not seen by anyone else. If you like you can save it in your emails saved box or delete it. The only time this email is seen by anyone else is if you let some one have your email address/password or your email address is hacked.

What you could alternatively do is to register with a 2nd email address that you only use at work and that no one has that email address in the world... so it's safe. So what you could do is send the email to a email address that is not linked to any forum or any site... "EASY". Then delete the sent files and delete the email from your account so you will only have it hidden not linked to your forum address.

Adding a hidden part to the password will not help members if they forget their password.
avatar
SePH



Since : 2012-06-19

Back to top Go down

Re: All passwords saved as plaintext, not encrypted

Post by RazorLeafAttack on Mon 11 Sep 2017 - 15:57

This is not about getting your email hacked though (or the risk of having your pw written in plain text in an email). It's about the actual method by which passwords are stored in the database. To quote a section of the FAQ page on the linked site from the original post:

What secure sites do is save a ‘representation’ of your password. You can only create this unique representation from passwords, but not the other way around. When you register, the site keeps only the representation, not the password. When you later enter your password in the site’s login dialog, the site uses the same mechanism to create a representation from what you entered as a password and looks to see if the representation they stored earlier matches that.

Therefore, you should never see your password. Ever. Not while you input it, not after you’re done, not in an email, not on the website itself later, not while talking to customer service. Never. If you do, they’re offenders.

My goal is not to stir up controversy, but just to point out that the fact that an email containing the password is a direct indicator that the database stores the password itself, not the "representation" of it. In the case of a database hack, this can end up revealing the Username and Password of members.

RazorLeafAttack
Newcomer

Since : 2017-09-11

Back to top Go down

Re: All passwords saved as plaintext, not encrypted

Post by Puzzledude on Mon 11 Sep 2017 - 16:49

This site is Https. The S is short for "secure", thus the passwords are encripted, but they are saved as plain text obviously. It makes no difference if this is sent via email or not. The only way for anyone to gain it that way is through email account hack or email interception, which are both complex procedures.

There is no logic what a "representation" of the password is. The only thing that comes to mind is an algorithm that changes your password to another one via some method, which can also be reverse engineered.

Also, if your pw is short, the Hidra brute-force method can crack it in any case, no matter the encription or "representation", since if it cracks the actual password, the representation is irrelevant, since you don't log in with representation.

You should be worried for sites with Http (with no s), however you can not expect sites with Https protocol to change anything more regarding security.


In the case of a database hack, this can end up revealing the Username and Password of members.
Indeed, however only selected people can crack a Https site's database. It would be a lot easier for any hacker to just use DOS (denial of service) or DDOS attack, or RAT (remote access tool), or a keylogger to gain passwords. Gaining access to an entire secured site's database would require so much effort, that indeed such a person or group would be capable of reverse engineering the representation algorithm as well. Like said, they would probably rather use RAT, keylog, or Phishing method to gain access to specific accounts.
avatar
Puzzledude



Since : 2012-06-20

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum