Forum - View topicPassword problem!!!
|
|
| Author | Message | ||
|---|---|---|---|
|
neonsign
Posts: 3 |
|
||
|
I just registered to your site, and received an email giving further instructions to activate my account.
And what's creepy about that is, that i received my password in PLAINTEXT. Is this how you store our passwords in your database? You should start worrying about that couse its NOT the right way of doing that. Either save HASH of the password or the SaltedHASH of it (more secure). Please consider this. Best regards |
|||
|
|||
|
Dan42
Chief Encyclopedist
 Posts: 3782 Location: Montreal |
|
||
|
I admit it's ridiculous to send the plaintext password in an email. That's just how old and retarded phpBB2 is. But only the hash of the password is stored in the database.
|
|||
|
|||
|
neonsign
Posts: 3 |
|
||
|
If its stored as hash how its possible to send me back the plaintext of it.
I suggest you to take a little time and 'maintain' some tiny parts of your code and get it fixed, because sooner or later this vulnerability gonna cost much more. Just saying, you know. I wouldn't want anyone to have even the smallest possibility to gain access over my account. |
|||
|
|||
Tony K.
 SubscriberModerator  Posts: 11293 Location: Frisco, TX |
|
||
|
Why would someone care to hack an ANN account anyway? I mean, the most they could find out is an email address, unless you're just hiding all kinds of important names and numbers throughout your "my ANN" tabs, which I really don't recommend.
|
|||
|
|||
|
dtm42
Posts: 14084 Location: currently stalking my waifu |
|
||
|
^
Well Tony K., if someone hacked ANN and nabbed your password they could wreck all kinds of havoc with your Mod powers. Heck, even if you weren't a Moderator they could still make insulting, derogatory and abusive posts in your name and hurt your reputation before the Mods finally shut them down. Heck, if they really wanted to land you in hot water they'd use your account to directly post child porn pictures on the forum. Even if it could be easily disproved that it wasn't you who posted them, it would still be an extremely uncomfortable experience for you. So I can see why some people would be a bit nervous if they believe - rightly or wrongly - that their password is not secure. Now, I have no idea if the passwords are securely stored, but since I've never heard of ANN login passwords being stolen before, and since Dan42 isn't fretting over it, I'm not going to be losing much sleep over the matter. Obviously the OP is a bit more cautious than I am. |
|||
|
|||
|
Tony K.
Subscriber Moderator Posts: 11293 Location: Frisco, TX |
|
||
|
Well if someone wanted wreck havoc around the Internet, I think they could probably find a better place to do it than a website full of anime/manga/Japanese-related news. People who generally have that kind of god complex more than likely wouldn't limit themselves to such esoteric groundings anyway. And if they did hack someone's account just to defame the person, then it's likely more so a personal vendetta, which would just be sad and pathetic to even commit in the first place. It's like saying, "I have all these super hacking skills, but instead of making money off of it, I'm gonna' pretend to be this other guy and make him look bad! Mwa ha ha ha~!"
It'd be like some 4th-rate villain out of a character lineup in Despicable Me. The least they can do is show a little more ambition. |
|||
|
|||
|
Rhyono
Posts: 1039 |
|
||
When you register for the site, you are entering your password as plain text. Once you submit it, two things are done:
As long as you can keep your email account secure: being sent your password to a forum is not the end of the world. |
|||
|
|||
Dessa
 Posts: 4438 |
|
||
|
I should point out, knowing phpBB2 and phpBB3, that however the password is saved, the database can't recover it for you, nor can an administrator access your password (they can change it, but they can't see what it is).
|
|||
|
|||
|
Rhyono
Posts: 1039 |
|
||
That's because the password is saved as a hash. |
|||
|
|||
|
neonsign
Posts: 3 |
|
||
|
this helped me more than enough.
thanks a lot bros. this did bring my sleep back. cheers 
|
|||
|
|||
|
Shiroi Hane
Encyclopedia Editor
 Posts: 7580 Location: Wales |
|
||
Staff have to have stronger password than other members. Dan has checks in place. |
|||
|
|||
|
Rhyono
Posts: 1039 |
|
||
|
@Shiroi Hane Biometrics, with a dongle, password, key code, IP, Mac, and (assuming Windows) the unique ID? Or just more complex passwords?
|
|||
|
|||
|
dtm42
Posts: 14084 Location: currently stalking my waifu |
|
||
|
|||
Keonyn
Subscriber Posts: 5567 Location: Coon Rapids, MN |
|
||
|
Yeah, that seems about right.
|
|||
|
|||
|
Tony K.
Subscriber Moderator Posts: 11293 Location: Frisco, TX |
|
||
|
And I often feel like a lot of users have hearing impairments from the Cone of Silence...
|
|||
|
|||
 |
All times are GMT - 5 Hours |
|
|
|
Powered by phpBB © 2001, 2005 phpBB Group