Please, Please, Please do NOT EVER store passwords in plain text!
Change this immediately.
I know you do since you send me my password through mail in plain text.
This is a very bad security issue!
Hello
this is a random generated password and we recommend you to change it after your first login.
Greetings
Error
I doubt they would store passwords without encryption. Almost no one does that anymore, and i’m quite sure, that IPB support password encryption(MD5 or whatever) by default.
After creating an account for Star Conflict I got an email with the password I chose myself in plain text!
It was not randomly generated.
If they store it encrypted, they should not be able to send it to me by mail.
If they encrypt it after sending the mail, the password is still temporarely stored on their side in plain text and it is send by mail in plain text.
Both are bad.
For recovery passwords I understand it is in plain text. This is also the reason you should not keep this password.
I came here just to say the same thing. All passwords should ONLY be stored as hashes on your side! This is a rookie security mistake that will sooner or later blow up in your face. Fix it!
Please, Please, Please do NOT EVER store passwords in plain text!
Change this immediately.
I know you do since you send me my password through mail in plain text.
This is a very bad security issue!
I was about to make this post myself. I just changed my password to one I set myself and it got e-mailed to me in plain text. WTF?! This is why you don’t hire your nephew who just learned PHP last week to make a business site for you. Speaking as a web developer, this needs fixed ASAP. This is a serious security problem and only a complete amateur would do something like this. Don’t expect me to ever give you my credit card info until you guys get a proper login system.
I use a salted sha256 hash. It creates a deterministic 64 character hexadecimal string. A salt is a random string of characters that’s appended to the hash and then it’s hashed again. I should not have to explain database security to supposed professionals, especially since I consider myself barely competent and even I know not to store plain text passwords. This is really, really basic stuff guys. Get on it.
Yes i tested that i get the new password after rocevering as well, but my guess is that they send it right away before storing(and encoding) it in db.
Does this compromise security? Not really sure as I haven’t worked with this stuff in profesional field, only played around when studied. If password are usually encrypted on client side, then you can just check in wireshark or something similar what is sent when you login into game, and if it is encrypted, then most of these accusations as false.
anyway it would be nice to get some conformation from devs about the process otherwise we are just chasing our own tails, and trying to prove how (not) smart we are.
Please, Please, Please do NOT EVER store passwords in plain text!
Change this immediately.
I know you do since you send me my password through mail in plain text.
This is a very bad security issue!
Hello sir.
We never store password in plain text on our side. We use heavy encryption, and, if password is strong enough (long and not dictionary), it would be impossible to bruteforce it even for us (i.e. knowing it’s hash is not even to extract original password in any resonable period of time).
We are just sending password to help users (a LOT of users are forgetting what they have just typed, and spend a lot of time), but we will change this policy immediately.
Again, we have never stored any of passwords anywhere. We use salted SHA hash over additional our own encryption of password - it is practically unreversable.