Page 1 of 2

Messed Up Forum Account

Posted: Thu Aug 08, 2013 9:26 pm
by trashaccounttoaskaquestio
Hey, this is just a trash account I made to ask a question. I registered my email to these forums. I noticed the confirmation email you guys sent me had my plaintext password (which generally means passwords are stored plain-text as well), so I deleted the email and went back to change my password real fast.

Three minutes later I realized there wasn't a way to actually activate my forum account if I deleted that email before activating (needed for SVN access via the Humble Bundle). So... any chance I could get that initial email resent? Or, is there a way of getting that confirmation email resent purely through the forums?

If not I'd need my account deleted so I can register with my actual email address. :roll:

Re: Messed Up Forum Account

Posted: Thu Aug 08, 2013 9:33 pm
by MAdMaN
trashaccounttoaskaquestio wrote:I noticed the confirmation email you guys sent me had my plaintext password (which generally means passwords are stored plain-text as well)

No, it means the e-mail was sent and then the password was encrypted.

trashaccounttoaskaquestio wrote:Three minutes later I realized there wasn't a way to actually activate my forum account if I deleted that email before activating (needed for SVN access via the Humble Bundle). So... any chance I could get that initial email resent? Or, is there a way of getting that confirmation email resent purely through the forums?

http://support.introversion.co.uk/

Re: Messed Up Forum Account

Posted: Thu Aug 08, 2013 9:52 pm
by trashaccounttoaskaquestio
MAdMaN wrote:No, it means the e-mail was sent and then the password was encrypted.


I hate to say this, but this isn't really guaranteed. A good 90% of users use the same password across accounts, and plaintext passwords are an easy way for a dishonest website to get money.

I'm not saying Introversion is one of those websites, but I do like to err on the side of caution.

trashaccounttoaskaquestio wrote:http://support.introversion.co.uk/


Bully, thanks!

Posted: Thu Aug 08, 2013 9:57 pm
by tabasco boy
why you worried the NSA, MI1 and MI8 got our backs :wink:

Posted: Thu Aug 08, 2013 10:20 pm
by trashaccounttoaskaquestio

Posted: Fri Aug 09, 2013 3:22 am
by paktsardines
A good 90% of users use the same password across accounts


90% of users shouldn't do that, and it is not IV's fault that people do. Next you'll be suggesting enforcing strong passwords... ;)


I'm a firm believer in evolution - give people enough rope, and then leave the rest to evolution.

Posted: Fri Aug 09, 2013 4:40 am
by Jackdapantyrip
paktsardines wrote:
A good 90% of users use the same password across accounts


90% of users shouldn't do that, and it is not IV's fault that people do. Next you'll be suggesting enforcing strong passwords... ;)


I'm a firm believer in evolution - give people enough rope, and then leave the rest to evolution.


A weak cop-out reply. I thought you said you were a php programmer?

Posted: Fri Aug 09, 2013 5:34 am
by paktsardines
It's not something I'm proud of; more my quiet shame.

Look, if someone's using the same login for discussion forums that they also use for their banking, well they shouldn't be using the Internet. All web browsers alert people to the fact: 'The information you are about to send is being transmittted insecurely, etc.. etc...'

Posted: Fri Aug 09, 2013 6:24 am
by 0gb.us
paktsardines wrote:It's not something I'm proud of; more my quiet shame.

Look, if someone's using the same login for discussion forums that they also use for their banking, well they shouldn't be using the Internet. All web browsers alert people to the fact: 'The information you are about to send is being transmittted insecurely, etc.. etc...'


However, if the database is compromised, plain text passwords for THIS site would be lost. An attacker could use that data to log in HERE as other people, even if they can't use those passwords elsewhere. The database should be encrypted. Introversion uses phpBB to run this forum though, and phpBB uses md5 hashing before storing passwords. I don't think it uses salt, so you have to watch out for rainbow tables, but it should be fine for this type of site.

For anyone who uses the same password everywhere, I recommend looking into an application called KeePassX. It securely stores your passwords for everything so you can use a unique password for every site while only having to memorize the password that unlocks your password database. It runs on GNU/Linux, it runs on Windows, and I'm fairly certain it runs on OS X, but I'm too lazy right now to check that for sure right now.

Posted: Fri Aug 09, 2013 8:18 am
by NeatNit
What you said is true. All passwords are encrypted after the email is sent.

Personally I use the same password nearly everywhere, except:
email
steam
banking (OBVIOUSLY)



Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...

Posted: Fri Aug 09, 2013 9:24 am
by DHKold
NeatNit wrote:Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...


First, let's remember what a Hash is: It's a value (that is, a sequence of bits) computed using a one-way algorythm on an entry value (usually a string, like a password). Usually, each "hashing algorythm" produces a fixed-length hash. The "one-way" is the key, because it garanty that one cannot reverse the hash to find the original entry.

So, if you can't reverse the algo, you have to "guess" the entry. And since people are humans, they tend to use bad password like words, maybe with numbers, or combination of words, etc. And they tend to use "short" password. The idea is then to build a gigantic table of entries with their hash. So, when we get a hash, we may look into the table to see if it's a known one. In more than 90% of the cases, it will be, since most people use common password.

Posted: Fri Aug 09, 2013 9:28 am
by microchip08
NeatNit wrote:Can someone explain rainbow tables real fast? I've tried reading the wikipedia article like 10 times but I just have no clue what it's yapping on about...


Hashes take time to compute, in an attempt to make it difficult to brute-force a large number of them. A rainbow table is a big long list of precomputed hashes: a hacker with a hash that they want to translate just goes down the list of hashes of common passwords until they find one that matches, then looks across to see what the plaintext was. It means that for common passwords, cracking is ridiculously fast (at a cost of the size of the huge rainbow table).

Code: Select all

aaaaa 594F803B380A41396ED63DCA39503542
aaaab 11649B4394D09E4ABA132AD49BD1E7DB
aaaac 16A08135A7D44B3D6BEAC2D84F9067C6
...
zzzzy 203A66A9A3B53863A5B821BBC1A63539
zzzzz 95EBC3C7B3B9F1D2C40FEC14415D3CB8


Here's a basic explanation from Jeff Atwood.

Posted: Fri Aug 09, 2013 9:28 am
by MAdMaN

Posted: Fri Aug 09, 2013 10:22 am
by Colytic
trashaccounttoaskaquestion wrote:I'm not saying Introversion is one of those websites, but I do like to err on the side of caution.


Cyber-criminals trying to intercept the e-mail and break into the database is something you should be more concerned about than a company with such a long and positive history and loyal following as Introversion.

+1 on KeePass - essential tool.

Posted: Fri Aug 09, 2013 11:30 pm
by jelco
Sigh. Are we really at this again?

Anyone with even the slightest clue can figure out this is phpBB 2. You can install it yourself and take a look at the database. Better yet, just download the source and go inspect that. Passwords are stored in a hashed format - end of story.

Now can all the people with their pretentious tone of "look at me being oh so totally clever for caring about this super important piece of security" please shut the fuck up and move on from their Dunning-Kruger syndrome?

Jelco