Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (577)
games submitted by our members
Games in WIP (498)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2
  ignore  |  Print  
  Please don't email my password in plaintext  (Read 5368 times)
0 Members and 1 Guest are viewing this topic.
Offline emjas

Junior Newbie





« Posted 2012-01-16 17:13:12 »

Just signed up for this forum, was annoyed to see that my password was emailed to me in plaintext in the registration mail. Hopefully this isn't being saved in the forum database plaintext...

With the other security measures in place (like the human verification form after clicking on the link in the email) this seems to be a fairly glaring issue.

That being said, thanks for running the forum! Please take this as a friendly suggestion.
Offline Shane75776
« Reply #1 - Posted 2012-01-16 17:24:32 »

I am sure its not saved as plain text.

In fact, I am almost certain that if it is saved in the database its like encoded well.

Plus, not sure what the big deal is about it anyways. Not like someone could do much
with just your email address. The most I could see is random spam of advertisements which
you can just mark as spam but I really doubt JGO would do that.

So yea, chillax bro.

Check out my Snipping Tool++ ! An advanced snippet/screenshot/text uploading tool! Meant to replace the windows snipping tool.

Check out Pixel Rain My most recent Swing based game!
Offline sproingie
« Reply #2 - Posted 2012-01-16 17:48:43 »

SMF's security in general is pretty slipshod (and pretty much all forum software sucks), but I'm sure Riven has been doing a heroic job in attacking the worst of it.  I hope you're not reusing any passwords in general, and especially not on forums.  If the communication channel to your email isn't secure, you have way bigger problems than exposing a forum password.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline emjas

Junior Newbie





« Reply #3 - Posted 2012-01-16 18:37:55 »

Everything I use has a different password for just such a reason; and I take all of the precautions I know about and/or reasonably can do without actually disconnecting myself Smiley That being said I have no control over the communication channel of the e-mail outbound from the forum server. My communication channel to my server is secure, but the rest of the internet I can't fix Cheesy

I know most forums are lax in security, but that doesn't mean I'm not going to offer some suggestions when I see an easily-fixed problem. (it should be like a 60 second fix: remove that line from the "user-confirmation" email; save; deploy; done)

I'm not like raging upset or anything Smiley was just slightly miffed at seeing the password I just typed displayed to me on my screen (imagine you were typing your password in somewhere, and instead of seeing '●●●●●●●●●' you see '123456789' you'd be probably mildly irritated). I'll say, I was as upset at seeing my password as I would be from having dropped a piece of food I was eating. It's just "aww, man... not cool".

Shane, it's not my e-mail address I'm concerned about, it's the password. IF I used that password for other things (which I don't, but a lot of people do) and someone got a hold of it, they could do some nasty things. My e-mail got broken into a few years ago (before I took more precautions) and it was really annoying to deal with all the fallout from it.
Offline Regenuluz
« Reply #4 - Posted 2012-01-16 18:45:00 »

I actually thought the exact same thing when I signed up for the forums. There really isn't any reason to email a password to the person who just entered it. If they managed to type the same thing twice in a row, they should be able to remember it just long enough to log in.
Offline delt0r

JGO Coder


Medals: 22


Computers can do that?


« Reply #5 - Posted 2012-01-16 19:04:43 »

This is a internet forum. If you seriously think that any such forum provides better security than plan text passwords in emails you are very naive. Also think about what its for. There is little point having bank level security... not that some banks don't have security this bad too.

Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much. 

I have no special talents. I am only passionately curious.--Albert Einstein
Online pjt33
« Reply #6 - Posted 2012-01-16 19:11:16 »

This is a internet forum. If you seriously think that any such forum provides better security than plan text passwords in emails you are very naive. Also think about what its for. There is little point having bank level security... not that some banks don't have security this bad too.
Disagree. Defence in depth. We should all educate users about using different passwords on different sites, and in addition we should all ensure that software we write or maintain doesn't expose passwords.

Quote
Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much.
There is quite a bit of merit. It protects people who sign up once and never come back; and it protects against compromise of a backup of the database (e.g. a disk which is badly disposed of).
Offline emjas

Junior Newbie





« Reply #7 - Posted 2012-01-16 19:13:01 »

I never claimed or assumed that forums are supposed to provide bank level security.

What I am saying is: there is a very simple change that would (if ever so) slightly improve the security of the site, it'd make (at least some) of your users happy, it would take literally a minute to implement, there are no downsides.

Why some users here are complaining about me offering such a suggestion is confounding... especially in a forum regarding software development (we're all here to learn and improve right? not just troll new users?)

Mods/site-owners, any irritation in my posts here is regarding the replies from people. My original post is just a friendly suggestion to improve the site.

Anyway, that's all I'm going to post here.
Offline Shane75776
« Reply #8 - Posted 2012-01-16 19:26:17 »

I never claimed or assumed that forums are supposed to provide bank level security.

What I am saying is: there is a very simple change that would (if ever so) slightly improve the security of the site, it'd make (at least some) of your users happy, it would take literally a minute to implement, there are no downsides.

Why some users here are complaining about me offering such a suggestion is confounding... especially in a forum regarding software development (we're all here to learn and improve right? not just troll new users?)

Mods/site-owners, any irritation in my posts here is regarding the replies from people. My original post is just a friendly suggestion to improve the site.

Anyway, that's all I'm going to post here.

Well yea but it kinda seemed like you were to me.

Mostly with how you jumped at just because in the email it sent you it had your email contained in it in text you assumed that it was
stored in the database as I text.

They could have your email encoded so that if someone hacked the site and got it, it may look like a jumbled mess of letters. I am sure
JGO "if they do encode in any way, im just making an example" have a way to decode it and send it out.

Check out my Snipping Tool++ ! An advanced snippet/screenshot/text uploading tool! Meant to replace the windows snipping tool.

Check out Pixel Rain My most recent Swing based game!
Offline h3ckboy
« Reply #9 - Posted 2012-01-16 19:40:53 »

but fi they hacked the site it should be easy enough to check sent box... unless if that is non-existent.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Shane75776
« Reply #10 - Posted 2012-01-16 19:42:51 »

but fi they hacked the site it should be easy enough to check sent box... unless if that is non-existent.

Why would any site keep a record of the activation email they send out to new users?

Check out my Snipping Tool++ ! An advanced snippet/screenshot/text uploading tool! Meant to replace the windows snipping tool.

Check out Pixel Rain My most recent Swing based game!
Offline sproingie
« Reply #11 - Posted 2012-01-16 19:57:24 »

I think when you reset your password, it also sends you a new password in plaintext that lasts indefinitely instead of a one-time reset link.  SMF is best secured by unplugging the machine that runs it.
Offline h3ckboy
« Reply #12 - Posted 2012-01-16 20:28:54 »

but fi they hacked the site it should be easy enough to check sent box... unless if that is non-existent.

Why would any site keep a record of the activation email they send out to new users?

thats why I added the last part, I am not very savvy of SMF Tongue
Offline Cero
« Reply #13 - Posted 2012-01-16 20:37:33 »

why would anyone on earth save passwords as plaintext - though it happens

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)
incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me

after that I wrote sha512 stuff for passwords, easy to use and all

so I dont know what the big deal is with pages and security

in case of md5 hash, its only 1 line of code D:

and writing your own sha512 isnt very much either - and you just write is once anyway.

Offline sproingie
« Reply #14 - Posted 2012-01-16 21:13:18 »

If you want really securely hashed passwords, use bcrypt, which isn't crackable in seconds with rainbow tables on a GPU like md5 is.  PHP has built-in support for using bcrypt (blowfish) in its crypt() function, using BSD's insane "modular crypt" API.  For once I can't blame the API on PHP, but PHP of course manages to do one worse in that if it doesn't support the requested implementation, it falls back to using a terrible built in crypt function instead, making it both insecure and unportable!

Ultimately though, if your password database is compromised, hashing only slows attackers down.  You still better invalidate every password.


Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #15 - Posted 2012-01-16 21:13:46 »

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)
incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me
This is exactly the false sense of security many developers have. Hashing passwords is not enough, regardless of the algorithm. There are rainbow tables that you feed the hash into, and it (often) simply gives you the original password.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2012-01-16 21:15:17 »

I know most forums are lax in security, but that doesn't mean I'm not going to offer some suggestions when I see an easily-fixed problem. (it should be like a 60 second fix: remove that line from the "user-confirmation" email; save; deploy; done)
I guess you're not familiar with the SMF sourcecode.

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes.

Going to 'fix' it now, though.


Edit:
It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:
1  
2  
3  
4  
5  
      $request = db_query("
         SELECT ...
         FROM ...
         WHERE ... = '$_POST[...]'
         LIMIT 1"
);
I mean, it's littered with these kinds of potential SQL injections.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline ra4king

JGO Kernel


Medals: 322
Projects: 2
Exp: 4 years


I'm the King!


« Reply #17 - Posted 2012-01-16 21:19:04 »

I'm kinda not following here....what exactly are you "fixing"? Are you not sending the password to the user's email address anymore?

Offline BoBear2681

JGO Coder


Medals: 18



« Reply #18 - Posted 2012-01-16 21:23:28 »

<OT>
@Shane75776:  Why do the (non-working) links in your signature read like they're links to malware?
</OT>

Offline ra4king

JGO Kernel


Medals: 322
Projects: 2
Exp: 4 years


I'm the King!


« Reply #19 - Posted 2012-01-16 21:29:01 »

<OT>
@Shane75776:  Why do the (non-working) links in your signature read like they're links to malware?
</OT>
Hahaha he just failed at correctly setting up the URL tag Tongue

When you fix them, the first link gives me a 404 and the second link is to a fraud/malware "satellitedirect" site Smiley

Offline EgonOlsen
« Reply #20 - Posted 2012-01-16 21:35:34 »

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes.
...
It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:
...
But keep in mind that this forum is still based on 1.1.15. The current version is 2.0.2. I'm not sure if the 2.x-branch has improved in this respect (haven't looked at the code to protect my eyes), but it might...

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #21 - Posted 2012-01-16 21:36:49 »

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes.
...
It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:
...
But keep in mind that this forum is still based on 1.1.15. The current version is 2.0.2. I'm not sure if the 2.x-branch has improved in this respect (haven't looked at the code to protect my eyes), but it might...
1.1.15 is the latest of the 1.x branch and just as secure as 2.x (which means it is horrible).

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #22 - Posted 2012-01-16 21:55:52 »

Locating that single line of code is probably going to take me 10 minutes.
Found it! (took only 40min!)

SMF has at least 9 places where registration mails are sent. persecutioncomplex

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline kaffiene
« Reply #23 - Posted 2012-01-16 22:10:03 »

Locating that single line of code is probably going to take me 10 minutes.
Found it! (took only 40min!)

SMF has at least 9 places where registration mails are sent. persecutioncomplex

Heh.  Riven, you do great work for us all.  It's appreciated, bro.
Offline Cero
« Reply #24 - Posted 2012-01-16 22:15:43 »

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)
incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me
This is exactly the false sense of security many developers have. Hashing passwords is not enough, regardless of the algorithm. There are rainbow tables that you feed the hash into, and it (often) simply gives you the original password.

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT
well of course thats kinda an oxymoron, since there no such thing as "more" or "less" secure, only effective or not
but you know - plaintext passwords just baffle me
and opposed to sql injection and stuff not as hard to avoid.

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #25 - Posted 2012-01-16 22:33:08 »

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT
This reasoning is exactly what I mean with 'false sense of security'.

Excuse my french, but hashing a password with sha512 is worth shit. You could just as well have stored the password in plain text. There are more than enough rainbow tables available to 'convert' the hash back to the original value (with a high probability). What you need to do is salting your hash. Only then you make it nearly impossible to 'recover', other than bruteforce.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline EgonOlsen
« Reply #26 - Posted 2012-01-16 22:37:15 »

1.1.15 is the latest of the 1.x branch and just as secure as 2.x (which means it is horrible).
To be exact, 1.1.16 is the latest...but i doubt that it'll help much either... Wink

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #27 - Posted 2012-01-16 22:56:18 »

1.1.15 is the latest of the 1.x branch and just as secure as 2.x (which means it is horrible).
To be exact, 1.1.16 is the latest...but i doubt that it'll help much either... Wink
Running 1.1.16 now. Thanks for the heads up.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Cero
« Reply #28 - Posted 2012-01-16 23:09:38 »

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT
This reasoning is exactly what I mean with 'false sense of security'.

Excuse my french, but hashing a password with sha512 is worth shit. You could just as well have stored the password in plain text. There are more than enough rainbow tables available to 'convert' the hash back to the original value (with a high probability). What you need to do is salting your hash. Only then you make it nearly impossible to 'recover', other than bruteforce.

sure. salting is mandatory. and with it, sha512 hasn't shown collisions, afaik

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #29 - Posted 2012-01-16 23:14:07 »

sha512 hasn't shown collisions, afaik
SHA512 has 512 bits (64 bytes).

Computing all hashes from all possible unique files of 65 bytes, you will find at least 256 collisions.
Computing all hashes from all possible unique files of 66 bytes, you will find at least 65536 collisions.
Computing all hashes from all possible unique files of 67 bytes, you will find at least 16777216 collisions.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: [1] 2
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (23 views)
2014-04-15 18:08:23

BurntPizza (18 views)
2014-04-15 03:46:01

UprightPath (32 views)
2014-04-14 17:39:50

UprightPath (16 views)
2014-04-14 17:35:47

Porlus (32 views)
2014-04-14 15:48:38

tom_mai78101 (58 views)
2014-04-10 04:04:31

BurntPizza (116 views)
2014-04-08 23:06:04

tom_mai78101 (216 views)
2014-04-05 13:34:39

trollwarrior1 (183 views)
2014-04-04 12:06:45

CJLetsGame (190 views)
2014-04-01 02:16:10
List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:05:20
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!