Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
Hello, c/Games mod here.
This post has been reviewed as valid by the mod team
For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.
But
In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.
That doesn’t really mean that they store it in plain text. They sent it to you after you finished creating your account, and it’s likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).
Yes, still not worth risking using a duplicate password though.
Honestly, why risk duplicate passwords even then? I have one strong password that I use for accessing my password manager, and let the password manager generate unique random passwords. Even if I had an easier password that I duplicated with some small changes, I’d still use a password manager to autofill it anyway. I use bitwarden personally, you can also self host it with vaultwarden but it seemed like more trouble than it was worth imo
This is a friendly reminder to everyone that password managers are not risk free either. LastPass was hacked last year, NortonLifeLock earlier this year.
Personally the risk of bitwarden is outweighed by its convenience (compared to self hosted/local only solutions) in my opinion, but I know that’ll change real quick if bitwarden ever has a breach. If it does I’m jumping ship to a self hosted or local only solution, but I’m hoping that doesn’t have to happen
Bitwarden is end to end encrypted. If the host gets hacked your passwords are still as safe as your master password is. Self hosting wouldn’t really be a huge help there. Possibly even detrimental depending on your level of competence at securing a public facing web host.
I heard people’s LastPass accounts were getting compromised after that theft, but I also don’t know how strong their master passwords were.
This is why I don’t use a common centralized password manager, just like I don’t use any of the most popular remote desktop solutions like TeamViewer for unattended access.
I run a consumer copy of Pleasant Password Manager out of AWS and use NoMachine for unattended access to any machines where I need it.
Security through obscurity is tried and true. Put as little of your security attack surface in the hands of others as is reasonable.
You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
My bank if you get your card number through the app has a dynamic ccv that changes every day so while not perfect is what I use whenever purchasing online
deleted by creator
While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they store your password in their database as plaintext.
Would you accept “in a way that can be reversed”?
It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.
I don’t know why you’d give them any benefit of the doubt. They should have already killed that with this terrible security practice.
But yeah, sure, maybe this one giant, extremely visible lapse in security is the only one they have.
I’m just explaining how user authentication works for most web applications. The server will process your plaintext password when your account is created. It should then store that as a hashed string, but it can ALSO send out an email with that plaintext password to the user describing their account creation. This post does not identify that passwords are stored in plaintext, it just identifies that they email plaintext passwords which is poor security practice.
This particular poor security practice is very much like a roach. If you see one you have a bigger problem.
See, I can also repeat myself as though you didn’t understand the first time.
Passwords shouldn’t be stored at all though 🤷♂️
You mean plaintext passwords right? Ofcourse then need to store your (hashed)password!
The hash is not the password.
My bad! I just misunderstood >.<
Point is, a hash isn’t a password. giving the most you don’t need tech knowledge analogy, it’s like the passwords fingerprint.
The police station may keep your daughters fingerprint so that if they find a lost child they can recognize it is your daughter beyond any doubt. Your daughters fingerprints, is like a hash, your daughter is a password.
The police should not store your daughter… that’s bad practice. The fingerprints are all they should store, and needless to say the fingerprints aren’t your daughter, just as a hash isn’t a password.
Set your password to an EICAR test string and see what else you can brick on their site.
Holy shit beautiful. Now I wanna try it everywhere
For those who haven’t made accounts yet, you don’t actually have to make an account to play Larian Studios games.
