this post was submitted on 30 Sep 2023
156 points (73.9% liked)

Programming

17784 readers
186 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
 

This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 126 points 1 year ago* (last edited 1 year ago) (4 children)

Larian stated on their forum they fixed this behavior and shifted to https 3 years ago. When this was linked several times in thread, people asked OP when this screenshot occured, and OP ignored the questions. Pretty clear that this is a very old screenshot of what is now a non issue.

What's to discuss besides OP trying to stir up drama about issues that were resolved years ago?

[–] [email protected] 28 points 1 year ago (1 children)

this is a very old screenshot

What do you mean? It says "0 minutes ago"! Clearly it's very recent! /s

load more comments (1 replies)
[–] [email protected] 15 points 1 year ago* (last edited 1 year ago) (1 children)

FWIW, it's not fixed. The screen shot may very well be recent.

(The post in question was still bad reporting, though, for the reasons I detailed in my other comment here.)

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (2 children)

Are you saying that the parent poster is giving incorrect information?

Edit: Oy, straight from their membership administration docs (emphasis mine):

Additionally, using the buttons below, you can delete the user, email the user's password to him/her, (etc)

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

Are you saying that the parent poster is giving incorrect information?

Yes. mosiacmango's comment repeated what others had already said (right down to specific words that I used in the original thread and here), and then jumped to this conclusion:

Pretty clear that this is a very old screenshot of what is now a non issue.

Everything about that statement is false. While the circumstances made it seem likely that the screenshot was old, it was not clearly so, and in fact, it turns out the issue is still present. I checked it. A registration email from the test I ran yesterday looked just like the screenshot in question, cleartext password and all.

Given that Larian reported the issue fixed three years ago, it's possible that they fixed it locally and some time later upgraded to a new version of the forum software, thereby overwriting the local fix. Perhaps mosiacmango should have considered that before posting incorrect speculation as if it were fact.

[–] [email protected] 4 points 1 year ago

Ouch... This should never be possible, in any world. If the password can be emailed, it can be seen. If it can be seen, it can be stolen.

load more comments (2 replies)
[–] [email protected] 91 points 1 year ago (7 children)

Just wow, yeah. Nothing should ever send you a password in cleartext - once that's been done, a MITM attack's success rate just went to 100%.

It's painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.

hunter2

[–] [email protected] 88 points 1 year ago (1 children)

Why did you put a bunch of asterisks at the bottom of your post?

[–] [email protected] 35 points 1 year ago (4 children)

I'm delighted you get the reference!

load more comments (4 replies)
[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

An issue if you’re reusing passwords. If not, every forgot my password email is also vulnerable.

A combination of bad practices could be… bad.

Edit: apparently around the same time, their forum was also lacking https. This would be an even easier vector.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (2 children)

It’s painless to use password resets

Ya and have they send you the (one-time) password in cleartext

[–] [email protected] 5 points 1 year ago (1 children)

(one-time)

You make it sound like an irrelevant detail, but that's kind of the key part. If implemented properly, it's only valid once and for a short period of time, which greatly reduces risk.

load more comments (1 replies)
[–] [email protected] 3 points 1 year ago (3 children)

In my experience it's always a tokenized link, no clear text required.

[–] [email protected] 15 points 1 year ago

Well, the tokenized link is essentially a clear text one time password. Not really any better than just a one time password except for the convenience that the user does not need to type it in. If someone gets hold of the link or password before you they can get access to your account.

[–] [email protected] 8 points 1 year ago

I don't see how's either way better or worse as long as they force you to change the password upon login

[–] [email protected] 4 points 1 year ago

And what is the token in the link?

[–] [email protected] 3 points 1 year ago (1 children)

Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.

[–] [email protected] 3 points 1 year ago

I no longer use Sprint

I mean, nobody else does either.

load more comments (3 replies)
[–] [email protected] 73 points 1 year ago

I think the OP of that post would have had a better reception if they had:

  • Responsibly disclosed what they found, rather than using it to stir up drama on social media.
  • Mentioned that it's just a web forum account, not connected to game accounts or anything else of value.
  • Targeted the software vendor (https://www.ubbcentral.com/) instead of picking on one particular customer who used that software.
  • Refrained from spreading misconceptions and unfounded assumptions about how the technology works.
  • Responded to the reasonable follow-up questions, such as those that came when readers discovered that the problem was reported fixed three years ago.

People in that thread responded with skepticism and criticism to an irresponsible, misdirected, misleading, alarmist mess of a post. That's hardly surprising.

[–] [email protected] 57 points 1 year ago (2 children)

This was hashed out pretty thoroughly in that thread.

The initial concern over the password being stored in plaintext was shown to be a mistaken assumption, and it was made clear that this kind of email doesn't happen anymore, it's an outdated problem.

No need to keep the discussion going past that, is there? Much less spread it around?

[–] [email protected] 15 points 1 year ago (3 children)

Sending passwords via email Will compromise any passwords sent via email. Regardless if the password is stored anywhere in the process if the password is sent via email it is compromised and no longer safe to use. Email is not end and encrypted you have no idea who's running the mail exchange servers that your email follows, it's entirely possible for this company to store that password in a log dealing with their email servers. Password sent via email should be considered immediately compromised and any sites following a practice like this should not be trusted with standard passwords which you shouldn't be using anyway.

[–] [email protected] 23 points 1 year ago

Right, and everyone agreed that wasn't the greatest practice. Two years ago.

This thread from two days ago was bringing attention to an issue that was fixed two years ago, and calling it out as if it was a different problem than it was.

It's good to have discussions about security best practices, but this thread is pointless. This problem is simply not there anymore.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Email isn't end to end encrypted but, but it generally is encrypted. The people who will have it are the sender (who already have the password since they created it) and whoever runs the recipient's mail server. Which is hopefully someone the recipient trusts.

From the sounds of it, this was a password that the server randomly generated, so it's never been used before, and you are forced to reset the password as soon as you use it, so it'll never be used again and they do treat it as "immediately compromised".

Hardly state of the art security, but it also doesn't really have any major problems... especially since this is for a forum.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 4 points 1 year ago

hashed out

heheh

[–] [email protected] 41 points 1 year ago (14 children)

People weren't really nitpicking.

  • it's obviously bad to send an email with a plaintext password
  • the website owners had apparently already resolved the issue
  • it does not mean the passwords were stored in plaintext
  • the OP sounds like a skiddie in a bunch of comments and doesn't seem to understand how most websites with auth work
load more comments (14 replies)
[–] [email protected] 22 points 1 year ago

Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring [the actual point]

This is the experience working in a professional software development setting, yes.

[–] [email protected] 14 points 1 year ago (1 children)

Everyone seems more interested in nitpicking

Actually, not everyone in that thread is nitpicking. There's one comment that's just a helpful hint.

But yes, nitpicking is fun. I'll see myself out.

[–] [email protected] 4 points 1 year ago

No, I'll allow it, this is a good post. Not even being sarcastic, did me a grin haha

[–] [email protected] 11 points 1 year ago (2 children)

Uh, I seem to recall this happening when I made a Larian account. What happens is you give them your email, they make your account, and email you a temporary password. The temp password is shown in plaintext, as the email shows. Once I saw the email, I logged in to finalize my account and change my password to something secure. It's not the most modern process, but I wasn't really that concerned either.

load more comments (2 replies)
[–] [email protected] 11 points 1 year ago (3 children)

OP of that thread was talking about how (they think) the password was stored in plain text instead of this "tree" you're talking about. The discussion on that was not a nitpick.

load more comments (3 replies)
[–] [email protected] 9 points 1 year ago

The number of people accepting email for some magic thing without in-between mechanisms is ridiculous. If it's sent in an email you should 100% consider it to be stored in plaintext in multiple places. There is incredible amount of machinery between your mail() call and the end user reading that email, on both the sending and receiving end. For example, my spam filter (rspamd) will likely store a copy of it for a while, and that's not unique to it.

What's in the database is not really relevant. Only the worst instance of storage counts.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (3 children)

Everyone seems more interested in nitpicking the specifics of what OP is saying

Yep. That's how security works. You have to nitpick the specifics.

The reality is nobody has invented a perfectly secure authentication system that is easy to use (for example, allows easy recovery when people forget their password which for any large service will be tens of millions of times per day).

Attempts have been made - passkeys being the latest one - but they're not even remotely easy to use as soon as you step slightly out of the most common path (such as using the web browser that is provided by the company you're logged in with... try to use Chrome with an Apple passkey, or Safari with a Google passkey, and you're going to stumble into usability issues).

Passwords are not considered secure wether they're sent in a plaintext email or not. They can be secure, if used properly, but 99% of users don't follow best practices. As a result almost every web service in the world is insecure and it's the nitpicky details that matter.

Sending a secret to an email address is a standard step during registration for almost any service.

[–] [email protected] 7 points 1 year ago (1 children)

But the thing is that you should never have access to the plaintext password and thus you should never be able to receive it in an email. You should store the salted hash of the password instead of the password itself.

[–] [email protected] 4 points 1 year ago (4 children)

These kind of forums don't store the plaintext password, they send an email while in memory, and hash them afterwards. Still bad security, but it's not storing it in plaintext.

load more comments (4 replies)
load more comments (2 replies)
[–] [email protected] 5 points 1 year ago

The only issue I can see is why are you sending the password to the person in the email at all just seems redundant... I think I may have run into a tree though.

load more comments
view more: next ›