Post subject: Please don't send me my password in plain text
Joined: 1/25/2014
Posts: 6
And storing it with reversible encryption is nearly just as bad, and I hope that's what is being done as a minimum currently in order to even make this possible. My old account was GMan, and I've been meaning to switch to this new one for some time. Having just done so, upon registration my username and password were sent to me in plain text in an email. This is a huge security no-no. Can we not do this? Perhaps switch to something like OpenId so the site doesn't even have to be in the business of handling passwords, which is notoriously easy to mess up. Thanks! Even better, perhaps we could retire phpBB, which is now bit-rotten and out of date. A more modern alternative like http://www.discourse.org/ would be swell.
Post subject: Re: Please don't send me my password in plain text
Emulator Coder, Skilled player (1112)
Joined: 5/1/2010
Posts: 1217
NicholasGorski wrote:
And storing it with reversible encryption is nearly just as bad, and I hope that's what is being done as a minimum currently in order to even make this possible.
It is not stored with reversible encryption (but it is still quite weak).
NicholasGorski wrote:
Can we not do this? Perhaps switch to something like OpenId so the site doesn't even have to be in the business of handling passwords, which is notoriously easy to mess up.
The password handling in web is just messed up in general. There is very large difference between state-of-the-art with passwords and the best that can be done on web... And everything else seems to be just DOA, thanks to web browser usability issues. Oh, and this isn't the only part in web security that is total clusterfuck...
NicholasGorski wrote:
Thanks! Even better, perhaps we could retire phpBB, which is now bit-rotten and out of date.
Yeah, getting rid of phpBB is a long-term TODO. Unfortunately, the site code is quite a mess of interdependencies on both Wiki and forum sides...
Post subject: Re: Please don't send me my password in plain text
Editor, Player (69)
Joined: 1/18/2008
Posts: 663
NicholasGorski wrote:
A more modern alternative like http://www.discourse.org/ would be swell.
Your other points were valid. For this, I lol'd. Nice joke.
true on twitch - lsnes windows builds 20230425 - the date this site is buried
NitroGenesis
He/Him
Editor, Experienced player (556)
Joined: 12/24/2009
Posts: 1873
So, uh, what was the reason for this username switch?
YoungJ1997lol wrote:
Normally i would say Yes, but thennI thought "its not the same hack" so ill stick with meh.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Yeah, hackers are really interested in your password to this site.
Joined: 6/4/2009
Posts: 893
Warp wrote:
Yeah, hackers are really interested in your password to this site.
if he is using the same password everywhere, this site can become a key to his bank account...
Joined: 12/22/2009
Posts: 291
Location: Michigan
Nicos wrote:
Warp wrote:
Yeah, hackers are really interested in your password to this site.
if he is using the same password everywhere, this site can become a key to his bank account...
That's his own fault then for stupid interneting
Current projects: Yoshi's Island Disassembly Yoshi's Island any% TAS with Carl Sagan
Joined: 6/4/2009
Posts: 893
DarkMoon wrote:
Nicos wrote:
Warp wrote:
Yeah, hackers are really interested in your password to this site.
if he is using the same password everywhere, this site can become a key to his bank account...
That's his own fault then for stupid interneting
not to be offienssive, but that's the case for like 90% of the peoples i know working in the IT, i know that the first reaction you get about changing password is "ow must i really do it ? they are so hard to remember" there is even a XKCD for this :
Patashu
He/Him
Joined: 10/2/2005
Posts: 4042
One ok idea is to use two passwords - one for financial services and emails you link to such services, one for stuff where it doesn't matter if the account is broken into, or if you suspect the security is bad enough it might get leaked.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Emulator Coder, Skilled player (1112)
Joined: 5/1/2010
Posts: 1217
Patashu wrote:
One ok idea is to use two passwords - one for financial services and emails you link to such services, one for stuff where it doesn't matter if the account is broken into, or if you suspect the security is bad enough it might get leaked.
Better to use password manager and multiple passwords (perhaps with a password shared with stuff you really don't care about).
Emulator Coder, Site Developer, Former player
Joined: 11/6/2004
Posts: 833
On the original issue of the site having his plaintext password you're missing the obvious: your complaint is the site has your plaintext password at the moment of registration. Duh! You literally just provided it.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Nicos wrote:
not to be offienssive, but that's the case for like 90% of the peoples i know
If he's savvy enough to understand what plaintext transmission of information is and when it's happening, and why it poses a security risk for login information, he ought to also understand why it's a bad idea to use the same password for important and less important websites. I wouldn't like it if someone hacked my tasvideos.org account and started posting goat porn or spam, and I would not mind if the login was encrypted, but I do not consider it a very high priority issue either.
Joined: 6/4/2009
Posts: 893
Warp wrote:
Nicos wrote:
not to be offienssive, but that's the case for like 90% of the peoples i know
If he's savvy enough to understand what plaintext transmission of information is and when it's happening, and why it poses a security risk for login information, he ought to also understand why it's a bad idea to use the same password for important and less important websites. I wouldn't like it if someone hacked my tasvideos.org account and started posting goat porn or spam, and I would not mind if the login was encrypted, but I do not consider it a very high priority issue either.
you are right.
Joined: 4/13/2009
Posts: 431
The entire web is broken when you consider that confidential information is sent via email (e.g. password resets). This allows anyone to just sniff the information and use it to reset the password, encrypted or not. We really need that secure email right now...
Joined: 6/4/2009
Posts: 893
EEssentia wrote:
The entire web is broken when you consider that confidential information is sent via email (e.g. password resets). This allows anyone to just sniff the information and use it to reset the password, encrypted or not. We really need that secure email right now...
Joined: 7/2/2007
Posts: 3960
DeHackEd wrote:
On the original issue of the site having his plaintext password you're missing the obvious: your complaint is the site has your plaintext password at the moment of registration. Duh! You literally just provided it.
Email is not a secure protocol. Sending passwords or any other valuable information over email is inherently a bad idea. Hence the comment a couple of posts above mine about needing "secure email".
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Editor, Skilled player (1438)
Joined: 3/31/2010
Posts: 2108
Hey guys, I found out that if you write down your password here, it is automatically censored: ********* Amazing! Dumb jokes aside, usability and security are always at odds with eachother. My advice is to just excercise common sense and not to use throwaway passwords (much less the same ones) in more sensitive websites than this one. Above all else, don't just give the password out yourself.
Tub
Joined: 6/25/2005
Posts: 1377
EEssentia wrote:
We really need that secure email right now...
Considering that your password is sent completely unencrypted every time you log in, emails really are the least of your problems.
m00
Joined: 4/13/2009
Posts: 431
Tub wrote:
EEssentia wrote:
We really need that secure email right now...
Considering that your password is sent completely unencrypted every time you log in, emails really are the least of your problems.
On this site, yes, but that's not the case on most sites. But yes, you are right, it's only part of the problem. Yet, it IS a necessary parameter in the equation.
Joined: 6/4/2009
Posts: 893
security is voided the moment you connect to the internet, you can't "network" without sharing and you can't corretly share with too much security.... your computer is not secured if it can be physicaly accessed by somebody else, your internet connection is not secured if someone can put a black hole on your node your passwords are not secured if there is a failsafe system the failsafe system is not secured because it is meant to be a hole in the security nothing is safe from ducks. ducks are ducks from ducks. ducks ducks ducks ducks ducks. morality : ducks can hack your computers.
Joined: 4/13/2009
Posts: 431
As Dak'hon says... Balance, in all things.
Joined: 6/4/2009
Posts: 893
EEssentia wrote:
As Dak'hon says... Balance, in all things.
yep, both of you have summed it up.... but still, don't thrust ducks...
Joined: 1/25/2014
Posts: 6
No, I don't use the same password everywhere, though that doesn't really mean plain text handling of a password is okay. (And some people, for worse, do. I don't think it's fair to them to say "you shouldn't have to care the site is insecure" and not care if the site is insecure.) While I agree hacking tasvideos is probably low on the totem pole, the reason I brought it up is that the perceived quality of site is certainly lessened by the issue, and I would like to help out by just making sure the issue was known. I now know it is and that the site administrators just haven't had the time for it, which is perfectly valid. (As for why I changed my name anyway, I've been using "GMan" in some variation or another as my moniker for almost 17 years, and it's grown tired to me to the point of being annoying.)
Joined: 6/4/2009
Posts: 893
why didn't you simply message an admin to change the username for you, i think it's possible ? (as double accounts are forbiden, it should be ? riiighht ? ) as for the site security, until it gets fixed, try to think of it as ridding a bike... it's fun, but it's safer to walk... especialy when ducks are involved
Joined: 4/13/2009
Posts: 431
Nicos wrote:
i think it's possible ? (as double accounts are forbiden, it should be ? riiighht ? )
It IS possible...