this post was submitted on 28 Sep 2023
320 points (75.6% liked)

Games

32640 readers
1204 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Weekly Threads:

What Are You Playing?

The Weekly Discussion Topic

Rules:

  1. Submissions have to be related to games

  2. No bigotry or harassment, be civil

  3. No excessive self-promotion

  4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

  5. Mark Spoilers and NSFW

  6. No linking to piracy

More information about the community rules can be found here.

founded 1 year ago
MODERATORS
 

Larion Studios forum stores your passwords in unhashed plaintext. Don't use a password there that you've used anywhere else.

top 50 comments
sorted by: hot top controversial new old
[–] Dremor@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Hello, c/Games mod here.

This post has been reviewed as valid by the mod team

For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.

But

In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.

[–] AlmightySnoo@lemmy.world 158 points 1 year ago (19 children)

That doesn't really mean that they store it in plain text. They sent it to you after you finished creating your account, and it's likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).

[–] ono@lemmy.ca 107 points 1 year ago* (last edited 1 year ago) (8 children)

Your guess is confirmed here.

There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content). After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

...and later...

The forum has been updated to https, and passwords are no longer being sent by email.

Which raises the question of how old OP's screen shot is.

Also, no, the password would not necessarily still be stored in plain text on their end. The cleartext password used in that email might be only in memory, and discarded after sending the message. Depends on how the UBB forum software implemented it and how Larian's mail servers are set up.

EDIT: I just verified that this behavior has resurfaced since it was originally fixed. OP would do well to responsibly report it, rather than stirring up drama over a web forum account.

load more comments (8 replies)
[–] trustnoone@lemmy.sdf.org 11 points 1 year ago

I actually think this is the case. I could be completely wrong but I swear I saw the same question like 6 years ago in another forum software that looks exactly like this one lol. And people compalined about it storing plain text, but the response when asking the forum people was that it was only during that password creation, it's not actually stored.

I don't know if it's crazy for me to think it's the same forum from that many years ago, still doing the same thing and getting the same question.

load more comments (17 replies)
[–] lowleveldata@programming.dev 91 points 1 year ago (5 children)

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

[–] TigrisMorte@kbin.social 74 points 1 year ago (7 children)
[–] Spacecraft@lemmy.world 11 points 1 year ago (1 children)

I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.

load more comments (1 replies)
load more comments (6 replies)
[–] Ledivin@lemmy.world 30 points 1 year ago* (last edited 1 year ago) (11 children)

I just wanted to drop a reminder that both LastPass and Norton LifeLock have been hacked within the past year alone.

[–] Kbin_space_program@kbin.social 31 points 1 year ago

KeePass is a thing that exists and is fantastic.

[–] SaltySalamander@kbin.social 23 points 1 year ago (2 children)

I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.

[–] SomeRandomWords@lemmy.blahaj.zone 12 points 1 year ago (1 children)

Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?

[–] AnonTwo@kbin.social 14 points 1 year ago (3 children)

I don't know what you're trying to say. I think it was safe to assume Salty probably meant the local-based keepass or something like that?

I wouldn't have immediately gone to text doc or spreadsheet. those aren't password managers.

load more comments (3 replies)
load more comments (1 replies)
load more comments (9 replies)
load more comments (3 replies)
[–] nickwitha_k@lemmy.sdf.org 65 points 1 year ago (39 children)

That's very unlikely. It's running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it's providing you with a default at sign-up, that's different and is what appears to be a configurable setting.

If it is completely generated for you, here's what probably happening:

  1. User creation module runs a password generator and stores this and the username in memory as string variables.
  2. User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
  3. Either the storage module or another middleware module hashes the password while preparing to store.
  4. Storage module reports success to user creation.
  5. User creation module prints the vars to the welcome template and unloads them from memory.

TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.

load more comments (39 replies)
[–] vox@sopuli.xyz 50 points 1 year ago* (last edited 1 year ago) (19 children)

no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.

[–] Mirodir@discuss.tchncs.de 24 points 1 year ago (5 children)

...and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.

load more comments (5 replies)
[–] TheEighthDoctor@lemmy.world 14 points 1 year ago (2 children)

So it's in plaintext in their email system

load more comments (2 replies)
[–] dangblingus@lemmy.world 13 points 1 year ago (3 children)

I've literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.

What would be the necessity behind emailing someone their own password? Doesn't that defeat the purpose of having a password? Email isn't secure.

[–] wim@lemmy.sdf.org 12 points 1 year ago (1 children)

I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.

A lot of cottage industry web apps also did the same.

load more comments (1 replies)
load more comments (2 replies)
[–] darkkite@lemmy.ml 11 points 1 year ago (1 children)

this is still a terrible idea. the system should never know the plaintext password.

logs capture a lot even automated emails. i don't see a single reason to send the user their plaintext password and many reasons why they shouldn't

load more comments (1 replies)
[–] JackbyDev@programming.dev 11 points 1 year ago (1 children)

"Kinda a bad idea?" This is fucking insane.

load more comments (1 replies)
load more comments (14 replies)
[–] hperrin@lemmy.world 49 points 1 year ago (13 children)

You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.

Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.

load more comments (13 replies)
[–] jonne@infosec.pub 48 points 1 year ago* (last edited 1 year ago) (1 children)

Sending your password right after you created it might not be best practice, but it doesn't mean it's stored unhashed in the database. It looks like they're using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.

Looks like they address it here: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

[–] AlmightySnoo@lemmy.world 13 points 1 year ago (1 children)

it should be pretty straightforward to figure out whether they do or not

Not really since it's closed-source: https://www.ubbcentral.com/

But they seem to have been in business since 1997, so I highly doubt that they'd fuck up the "never store passwords in plain text" rule.

[–] jonne@infosec.pub 11 points 1 year ago (2 children)

Yeah, I was looking it up, and when I saw they've been selling this forum software since 1997 I was less confident about passwords being hashed. They address it in their forums and they're making it clear that the passwords are actually hashed, and they're looking at migrating to other solutions regardless.

load more comments (2 replies)
[–] inclementimmigrant@lemmy.world 36 points 1 year ago* (last edited 1 year ago) (8 children)

While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn't mean they store your password in their database as plaintext.

[–] JackbyDev@programming.dev 31 points 1 year ago (4 children)

Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.

[–] Cloodge@lemmy.world 15 points 1 year ago (1 children)

(and salted before hashing.)

[–] Dicska@lemmy.world 11 points 1 year ago (1 children)

And marinated in butter milk.

load more comments (1 replies)
load more comments (3 replies)
[–] jeeva@lemmy.world 14 points 1 year ago (4 children)

Would you accept "in a way that can be reversed"?

load more comments (4 replies)
load more comments (6 replies)
[–] slazer2au@lemmy.world 35 points 1 year ago (2 children)

Set your password to an EICAR test string and see what else you can brick on their site.

[–] 1984@lemmy.today 21 points 1 year ago* (last edited 1 year ago) (32 children)

It's 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.

load more comments (32 replies)
[–] Krakatoacoo@lemmy.world 11 points 1 year ago

For those who haven't made accounts yet, you don't actually have to make an account to play Larian Studios games.

load more comments
view more: next ›