this post was submitted on 28 Sep 2023
323 points (75.7% liked)

Games

39141 readers
1628 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Rules

1. Submissions have to be related to games

Video games, tabletop, or otherwise. Posts not related to games will be deleted.

This community is focused on games, of all kinds. Any news item or discussion should be related to gaming in some way.

2. No bigotry or harassment, be civil

No bigotry, hardline stance. Try not to get too heated when entering into a discussion or debate.

We are here to talk and discuss about one of our passions, not fight or be exposed to hate. Posts or responses that are hateful will be deleted to keep the atmosphere good. If repeatedly violated, not only will the comment be deleted but a ban will be handed out as well. We judge each case individually.

3. No excessive self-promotion

Try to keep it to 10% self-promotion / 90% other stuff in your post history.

This is to prevent people from posting for the sole purpose of promoting their own website or social media account.

4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

This community is mostly for discussion and news. Remember to search for the thing you're submitting before posting to see if it's already been posted.

We want to keep the quality of posts high. Therefore, memes, funny videos, low-effort posts and reposts are not allowed. We prohibit giveaways because we cannot be sure that the person holding the giveaway will actually do what they promise.

5. Mark Spoilers and NSFW

Make sure to mark your stuff or it may be removed.

No one wants to be spoiled. Therefore, always mark spoilers. Similarly mark NSFW, in case anyone is browsing in a public space or at work.

6. No linking to piracy

Don't share it here, there are other places to find it. Discussion of piracy is fine.

We don't want us moderators or the admins of lemmy.world to get in trouble for linking to piracy. Therefore, any link to piracy will be removed. Discussion of it is of course allowed.

Authorized Regular Threads

Related communities

PM a mod to add your own

Video games

Generic

Help and suggestions

By platform

By type

By games

Language specific

founded 2 years ago
MODERATORS
Dremor@lemmy.world
JonsJava@lemmy.world
fxomt@lemmy.dbzer0.com
Dremor@jlai.lu
modfxomt@lemmy.world
323
Larion Studios forum stores your passwords in unhashed plaintext. (lemmy.world)
submitted 2 years ago by Cabrio@lemmy.world to c/games@lemmy.world
217 comments fedilink hide all child comments
 

Larion Studios forum stores your passwords in unhashed plaintext. Don't use a password there that you've used anywhere else.

top 50 comments
sorted by: hot top controversial new old
[–] Dremor@lemmy.world 2 points 2 years ago* (last edited 2 years ago)

Hello, c/Games mod here.

This post has been reviewed as valid by the mod team

For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.

But

In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.

[–] AlmightySnoo@lemmy.world 159 points 2 years ago (19 children)

That doesn't really mean that they store it in plain text. They sent it to you after you finished creating your account, and it's likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).

[–] ono@lemmy.ca 107 points 2 years ago* (last edited 2 years ago) (8 children)

Your guess is confirmed here.

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content). After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

...and later...

The forum has been updated to https, and passwords are no longer being sent by email.

Which raises the question of how old OP's screen shot is.

Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it and how Larian's mail servers are set up.

EDIT: I just verified that this behavior has resurfaced since it was originally fixed. OP would do well to responsibly report it, rather than stirring up drama over a web forum account.

load more comments (8 replies)
[–] trustnoone 11 points 2 years ago

I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it's not actually stored.

I don't know if it's crazy for me to think it's the same forum from that many years ago, still doing the same thing and getting the same question.

load more comments (17 replies)
[–] lowleveldata@programming.dev 91 points 2 years ago (5 children)

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

[–] TigrisMorte@kbin.social 74 points 2 years ago (7 children)
[–] Spacecraft@lemmy.world 11 points 2 years ago (1 children)

I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.

load more comments (1 replies)
load more comments (6 replies)
[–] Ledivin@lemmy.world 30 points 2 years ago* (last edited 2 years ago) (11 children)

I just wanted to drop a reminder that both LastPass and Norton LifeLock have been hacked within the past year alone.

[–] Kbin_space_program@kbin.social 31 points 2 years ago

KeePass is a thing that exists and is fantastic.

[–] SaltySalamander@kbin.social 23 points 2 years ago (2 children)

I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.

[–] SomeRandomWords@lemmy.blahaj.zone 12 points 2 years ago (1 children)

Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?

[–] AnonTwo@kbin.social 14 points 2 years ago (3 children)

I don't know what you're trying to say. I think it was safe to assume Salty probably meant the local-based keepass or something like that?

I wouldn't have immediately gone to text doc or spreadsheet. those aren't password managers.

load more comments (3 replies)
load more comments (1 replies)
load more comments (9 replies)
load more comments (3 replies)
[–] nickwitha_k 65 points 2 years ago (39 children)

That's very unlikely. It's running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it's providing you with a default at sign-up, that's different and is what appears to be a configurable setting.

If it is completely generated for you, here's what probably happening:

  1. User creation module runs a password generator and stores this and the username in memory as string variables.
  2. User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
  3. Either the storage module or another middleware module hashes the password while preparing to store.
  4. Storage module reports success to user creation.
  5. User creation module prints the vars to the welcome template and unloads them from memory.

TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.

load more comments (39 replies)
[–] vox@sopuli.xyz 51 points 2 years ago* (last edited 2 years ago) (19 children)

no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.

[–] Mirodir@discuss.tchncs.de 24 points 2 years ago (5 children)

...and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.

load more comments (5 replies)
[–] TheEighthDoctor@lemmy.world 14 points 2 years ago (2 children)

So it's in plaintext in their email system

load more comments (2 replies)
[–] dangblingus@lemmy.world 13 points 2 years ago (3 children)

I've literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.

What would be the necessity behind emailing someone their own password? Doesn't that defeat the purpose of having a password? Email isn't secure.

[–] wim 12 points 2 years ago (1 children)

I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.

A lot of cottage industry web apps also did the same.

load more comments (1 replies)
load more comments (2 replies)
[–] JackbyDev@programming.dev 11 points 2 years ago (1 children)

"Kinda a bad idea?" This is fucking insane.

load more comments (1 replies)
[–] darkkite@lemmy.ml 11 points 2 years ago (1 children)

this is still a terrible idea. the system should never know the plaintext password.

logs capture a lot even automated emails. i don't see a single reason to send the user their plaintext password and many reasons why they shouldn't

load more comments (1 replies)
load more comments (14 replies)
[–] hperrin@lemmy.world 49 points 2 years ago (13 children)

You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.

Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.

load more comments (13 replies)
[–] jonne@infosec.pub 48 points 2 years ago* (last edited 2 years ago) (1 children)

Sending your password right after you created it might not be best practice, but it doesn't mean it's stored unhashed in the database. It looks like they're using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.

Looks like they address it here: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

[–] AlmightySnoo@lemmy.world 13 points 2 years ago (1 children)

it should be pretty straightforward to figure out whether they do or not

Not really since it's closed-source: https://www.ubbcentral.com/

But they seem to have been in business since 1997, so I highly doubt that they'd fuck up the "never store passwords in plain text" rule.

[–] jonne@infosec.pub 11 points 2 years ago (2 children)

Yeah, I was looking it up, and when I saw they've been selling this forum software since 1997 I was less confident about passwords being hashed. They address it in their forums and they're making it clear that the passwords are actually hashed, and they're looking at migrating to other solutions regardless.

load more comments (2 replies)
[–] inclementimmigrant@lemmy.world 36 points 2 years ago* (last edited 2 years ago) (8 children)

While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn't mean they store your password in their database as plaintext.

[–] JackbyDev@programming.dev 31 points 2 years ago (4 children)

Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.

[–] Cloodge@lemmy.world 15 points 2 years ago (1 children)

(and salted before hashing.)

[–] Dicska@lemmy.world 11 points 2 years ago (1 children)

And marinated in butter milk.

load more comments (1 replies)
load more comments (3 replies)
[–] jeeva@lemmy.world 14 points 2 years ago (4 children)

Would you accept "in a way that can be reversed"?

load more comments (4 replies)
load more comments (6 replies)
[–] slazer2au@lemmy.world 35 points 2 years ago (2 children)

Set your password to an EICAR test string and see what else you can brick on their site.

load more comments (1 replies)
[–] 1984@lemmy.today 21 points 2 years ago* (last edited 2 years ago) (32 children)

It's 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.

load more comments (32 replies)
[–] Krakatoacoo@lemmy.world 11 points 2 years ago

For those who haven't made accounts yet, you don't actually have to make an account to play Larian Studios games.

load more comments
view more: next ›