Messed Up Forum Account

The place to hang out and talk about totally anything general.
trashaccounttoaskaquestio
level0
Posts: 3
Joined: Thu Aug 08, 2013 9:14 pm

Messed Up Forum Account

Postby trashaccounttoaskaquestio » Thu Aug 08, 2013 9:26 pm

Hey, this is just a trash account I made to ask a question. I registered my email to these forums. I noticed the confirmation email you guys sent me had my plaintext password (which generally means passwords are stored plain-text as well), so I deleted the email and went back to change my password real fast.

Three minutes later I realized there wasn't a way to actually activate my forum account if I deleted that email before activating (needed for SVN access via the Humble Bundle). So... any chance I could get that initial email resent? Or, is there a way of getting that confirmation email resent purely through the forums?

If not I'd need my account deleted so I can register with my actual email address. :roll:
User avatar
MAdMaN
level4
level4
Posts: 899
Joined: Mon Jul 19, 2004 4:12 pm
Location: Manchester, England

Re: Messed Up Forum Account

Postby MAdMaN » Thu Aug 08, 2013 9:33 pm

trashaccounttoaskaquestio wrote:I noticed the confirmation email you guys sent me had my plaintext password (which generally means passwords are stored plain-text as well)

No, it means the e-mail was sent and then the password was encrypted.

trashaccounttoaskaquestio wrote:Three minutes later I realized there wasn't a way to actually activate my forum account if I deleted that email before activating (needed for SVN access via the Humble Bundle). So... any chance I could get that initial email resent? Or, is there a way of getting that confirmation email resent purely through the forums?

http://support.introversion.co.uk/
trashaccounttoaskaquestio
level0
Posts: 3
Joined: Thu Aug 08, 2013 9:14 pm

Re: Messed Up Forum Account

Postby trashaccounttoaskaquestio » Thu Aug 08, 2013 9:52 pm

MAdMaN wrote:No, it means the e-mail was sent and then the password was encrypted.


I hate to say this, but this isn't really guaranteed. A good 90% of users use the same password across accounts, and plaintext passwords are an easy way for a dishonest website to get money.

I'm not saying Introversion is one of those websites, but I do like to err on the side of caution.

trashaccounttoaskaquestio wrote:http://support.introversion.co.uk/


Bully, thanks!
User avatar
tabasco boy
level5
level5
Posts: 1180
Joined: Sun Mar 10, 2002 4:25 pm
Location: Lovely Planet Earth
Contact:

Postby tabasco boy » Thu Aug 08, 2013 9:57 pm

why you worried the NSA, MI1 and MI8 got our backs :wink:
Eating without Tabasco® Sauce is like a computer without a OS.
trashaccounttoaskaquestio
level0
Posts: 3
Joined: Thu Aug 08, 2013 9:14 pm

Postby trashaccounttoaskaquestio » Thu Aug 08, 2013 10:20 pm

User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Fri Aug 09, 2013 3:22 am

A good 90% of users use the same password across accounts


90% of users shouldn't do that, and it is not IV's fault that people do. Next you'll be suggesting enforcing strong passwords... ;)


I'm a firm believer in evolution - give people enough rope, and then leave the rest to evolution.
User avatar
Jackdapantyrip
level3
level3
Posts: 250
Joined: Sat Mar 19, 2011 6:33 am

Postby Jackdapantyrip » Fri Aug 09, 2013 4:40 am

paktsardines wrote:
A good 90% of users use the same password across accounts


90% of users shouldn't do that, and it is not IV's fault that people do. Next you'll be suggesting enforcing strong passwords... ;)


I'm a firm believer in evolution - give people enough rope, and then leave the rest to evolution.


A weak cop-out reply. I thought you said you were a php programmer?
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Fri Aug 09, 2013 5:34 am

It's not something I'm proud of; more my quiet shame.

Look, if someone's using the same login for discussion forums that they also use for their banking, well they shouldn't be using the Internet. All web browsers alert people to the fact: 'The information you are about to send is being transmittted insecurely, etc.. etc...'
0gb.us
level0
Posts: 9
Joined: Thu Aug 08, 2013 10:28 pm
Contact:

Postby 0gb.us » Fri Aug 09, 2013 6:24 am

paktsardines wrote:It's not something I'm proud of; more my quiet shame.

Look, if someone's using the same login for discussion forums that they also use for their banking, well they shouldn't be using the Internet. All web browsers alert people to the fact: 'The information you are about to send is being transmittted insecurely, etc.. etc...'


However, if the database is compromised, plain text passwords for THIS site would be lost. An attacker could use that data to log in HERE as other people, even if they can't use those passwords elsewhere. The database should be encrypted. Introversion uses phpBB to run this forum though, and phpBB uses md5 hashing before storing passwords. I don't think it uses salt, so you have to watch out for rainbow tables, but it should be fine for this type of site.

For anyone who uses the same password everywhere, I recommend looking into an application called KeePassX. It securely stores your passwords for everything so you can use a unique password for every site while only having to memorize the password that unlocks your password database. It runs on GNU/Linux, it runs on Windows, and I'm fairly certain it runs on OS X, but I'm too lazy right now to check that for sure right now.
User avatar
NeatNit
level5
level5
Posts: 2929
Joined: Mon Jan 28, 2008 2:41 pm
Location: Israel
Contact:

Postby NeatNit » Fri Aug 09, 2013 8:18 am

What you said is true. All passwords are encrypted after the email is sent.

Personally I use the same password nearly everywhere, except:
email
steam
banking (OBVIOUSLY)



Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...
DHKold
level1
level1
Posts: 60
Joined: Mon Oct 08, 2012 9:29 am

Postby DHKold » Fri Aug 09, 2013 9:24 am

NeatNit wrote:Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...


First, let's remember what a Hash is: It's a value (that is, a sequence of bits) computed using a one-way algorythm on an entry value (usually a string, like a password). Usually, each "hashing algorythm" produces a fixed-length hash. The "one-way" is the key, because it garanty that one cannot reverse the hash to find the original entry.

So, if you can't reverse the algo, you have to "guess" the entry. And since people are humans, they tend to use bad password like words, maybe with numbers, or combination of words, etc. And they tend to use "short" password. The idea is then to build a gigantic table of entries with their hash. So, when we get a hash, we may look into the table to see if it's a known one. In more than 90% of the cases, it will be, since most people use common password.
microchip08
level5
level5
Posts: 1186
Joined: Fri Aug 31, 2007 4:37 pm
Contact:

Postby microchip08 » Fri Aug 09, 2013 9:28 am

NeatNit wrote:Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...


Hashes take time to compute, in an attempt to make it difficult to brute-force a large number of them. A rainbow table is a big long list of precomputed hashes: a hacker with a hash that they want to translate just goes down the list of hashes of common passwords until they find one that matches, then looks across to see what the plaintext was. It means that for common passwords, cracking is ridiculously fast (at a cost of the size of the huge rainbow table).

Code: Select all

aaaaa 594F803B380A41396ED63DCA39503542
aaaab 11649B4394D09E4ABA132AD49BD1E7DB
aaaac 16A08135A7D44B3D6BEAC2D84F9067C6
...
zzzzy 203A66A9A3B53863A5B821BBC1A63539
zzzzz 95EBC3C7B3B9F1D2C40FEC14415D3CB8


Here's a basic explanation from Jeff Atwood.
User avatar
MAdMaN
level4
level4
Posts: 899
Joined: Mon Jul 19, 2004 4:12 pm
Location: Manchester, England

Postby MAdMaN » Fri Aug 09, 2013 9:28 am

User avatar
Colytic
level4
level4
Posts: 826
Joined: Tue Feb 19, 2013 3:24 pm
Location: Somewhere outside London

Postby Colytic » Fri Aug 09, 2013 10:22 am

trashaccounttoaskaquestion wrote:I'm not saying Introversion is one of those websites, but I do like to err on the side of caution.


Cyber-criminals trying to intercept the e-mail and break into the database is something you should be more concerned about than a company with such a long and positive history and loyal following as Introversion.

+1 on KeePass - essential tool.
User avatar
jelco
level5
level5
Posts: 6018
Joined: Sat Feb 18, 2006 7:45 am
Location: Cygnus X-1
Contact:

Postby jelco » Fri Aug 09, 2013 11:30 pm

Sigh. Are we really at this again?

Anyone with even the slightest clue can figure out this is phpBB 2. You can install it yourself and take a look at the database. Better yet, just download the source and go inspect that. Passwords are stored in a hashed format - end of story.

Now can all the people with their pretentious tone of "look at me being oh so totally clever for caring about this super important piece of security" please shut the fuck up and move on from their Dunning-Kruger syndrome?

Jelco

Return to “Introversion Lounge”

Who is online

Users browsing this forum: No registered users and 2 guests