Seriously? Clear text passwords?

The place to hang out and talk about totally anything general.
ReggX
level0
Posts: 1
Joined: Wed Jun 12, 2013 4:33 pm

Seriously? Clear text passwords?

Postby ReggX » Wed Jun 12, 2013 4:40 pm

To the Forum admins,

I couldn't believe my eyes what I saw just now. The registration mail contained my password in clear text form.
Since even that basic practice of password security isn't fulfilled, how should I trust you to keep your database safe from attacks?
User avatar
VoiD88
level5
level5
Posts: 1001
Joined: Thu Dec 08, 2005 9:24 am
Location: Soltau, Germany
Contact:

Postby VoiD88 » Wed Jun 12, 2013 9:28 pm

Why are you concerned? Do you use your credit card number as your password? Or are you using the same password everywhere? Which kind of sensitive data do you enter on this forum that you fear might fall into whose hands? :roll:
Life is NOT like a box of chocolates, it's more like a jar of jalapeños: What you do today might burn your a** tomorrow.
~Garfield
Great Magical Hat
level3
level3
Posts: 486
Joined: Thu Dec 15, 2005 4:57 pm
Location: Netherlands

Postby Great Magical Hat » Sat Jun 15, 2013 12:39 am

Jelco, you seem to miss a major point there: the plain text passwords are stored. How else could it be sent to you when you use the "forgot password" link. Try it yourself if you don't believe me.

Now I don't care much myself, but you'll have to agree it's extremely bad form. (In reality not much worse security than a simple hash, but way worse form all the same.)


(I realized it just now because I just typed my password for the first time in a while, and it's a password I thought up a very long time ago and had resent to me when I had forgotten it over the years.)
User avatar
NeatNit
level5
level5
Posts: 2929
Joined: Mon Jan 28, 2008 2:41 pm
Location: Israel
Contact:

Postby NeatNit » Sat Jun 15, 2013 1:32 am

Great Magical Hat wrote:Jelco, you seem to miss a major point there: the plain text passwords are stored. How else could it be sent to you when you use the "forgot password" link. Try it yourself if you don't believe me.

Now I don't care much myself, but you'll have to agree it's extremely bad form. (In reality not much worse security than a simple hash, but way worse form all the same.)


(I realized it just now because I just typed my password for the first time in a while, and it's a password I thought up a very long time ago and had resent to me when I had forgotten it over the years.)
Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.
User avatar
trickser
level5
level5
Posts: 1826
Joined: Thu Mar 06, 2008 2:15 pm
Location: The Senate ; GMT+1
Contact:

Postby trickser » Sat Jun 15, 2013 2:12 am

What a nonsense!

Specially this:
NeatNit wrote:We have no proof that it does this, but we also have no proof that it doesn't.


Can anybody tell me a case when this ever made sense?


Also,
The server can decrypt the password

what one computing engine can, another can also, therefore the word software. How is that different from plain passwords?
Great Magical Hat
level3
level3
Posts: 486
Joined: Thu Dec 15, 2005 4:57 pm
Location: Netherlands

Postby Great Magical Hat » Sat Jun 15, 2013 3:01 am

NeatNit wrote:Encryption.


Fair enough, that's an option I didn't think about. I'll disagree with you on that it's likely it's used, though.

As for the rest you say, yes I know what we are talking about. To make a much needed improvement to the hashing system, you'll need personalized salts. However, even then your passwords aren't secure, really. The problem is that hashing algorithms are designed to be fast, whereas you need a slow algorithm to make brute forcing impractical. You're best off leaving the handling of passwords to a dedicated library.
User avatar
xander
level5
level5
Posts: 16869
Joined: Thu Oct 21, 2004 11:41 pm
Location: Highland, CA, USA
Contact:

Postby xander » Sat Jun 15, 2013 3:34 am

NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.

Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).

xander
User avatar
NeatNit
level5
level5
Posts: 2929
Joined: Mon Jan 28, 2008 2:41 pm
Location: Israel
Contact:

Postby NeatNit » Sat Jun 15, 2013 12:37 pm

xander wrote:
NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.

Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).

xander
“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list. One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”
http://onehitpixel.com/2011/05/03/passw ... sony/11876

I didn't make any of that up. There's encrypted passwords (which can be decrypted) and there's hashes (which cannot, this is what you were talking about).
User avatar
xander
level5
level5
Posts: 16869
Joined: Thu Oct 21, 2004 11:41 pm
Location: Highland, CA, USA
Contact:

Postby xander » Sat Jun 15, 2013 8:39 pm

NeatNit wrote:
xander wrote:
NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.

Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).

xander
“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list. One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”
http://onehitpixel.com/2011/05/03/passw ... sony/11876

I didn't make any of that up. There's encrypted passwords (which can be decrypted) and there's hashes (which cannot, this is what you were talking about).

That in no way contradicts what I posted above.

xander
User avatar
NeatNit
level5
level5
Posts: 2929
Joined: Mon Jan 28, 2008 2:41 pm
Location: Israel
Contact:

Postby NeatNit » Sat Jun 15, 2013 9:29 pm

In the same way what you said doesn't contradict what I said earlier..?
Mas Tnega
level5
level5
Posts: 7898
Joined: Sat Mar 02, 2002 11:54 pm
Location: Edinburgh
Contact:

Postby Mas Tnega » Sat Jun 15, 2013 9:52 pm

Except for the part where nothing you said applied to the forum.
User avatar
xander
level5
level5
Posts: 16869
Joined: Thu Oct 21, 2004 11:41 pm
Location: Highland, CA, USA
Contact:

Postby xander » Sat Jun 15, 2013 10:15 pm

Mas Tnega wrote:Except for the part where nothing you said applied to the forum.

This.

xander
RabidZombie
level5
level5
Posts: 2414
Joined: Fri Nov 18, 2005 10:09 pm

Postby RabidZombie » Sun Jun 16, 2013 1:59 pm

Is there a good reason the password IS still sent in the email? Seems like a pretty easy target for improving user experience. We'd stop getting people complaining that their password is stored in plaintext!
Great Magical Hat
level3
level3
Posts: 486
Joined: Thu Dec 15, 2005 4:57 pm
Location: Netherlands

Postby Great Magical Hat » Sun Jun 16, 2013 8:52 pm

jelco wrote:They just aren't. You can set up your own phpBB install and look in the DB yourself. They aren't.


I've run many phpbb installs over the years and know they do not store passwords normally. (They used some of the poorest hashing back in the days this forum is from, though - I don't know what the current situation is). My idea was that these forums are modded and it was very possible it didn't do things the same way as a plain install.

However, I was wrong and I apologize for any allegations I made. I succinctly remembered my current password being from long ago as well as I remembered retrieving my password after not logging in for years. What I didn't remember was that I retrieved the password by finding that original mail, rather than clicking the "forgot password" link.

Once again, I'm sorry.
User avatar
NeoThermic
Introversion Staff
Introversion Staff
Posts: 6256
Joined: Sat Mar 02, 2002 10:55 am
Location: ::1
Contact:

Postby NeoThermic » Mon Jun 17, 2013 6:37 am

Great Magical Hat wrote:
jelco wrote:They just aren't. You can set up your own phpBB install and look in the DB yourself. They aren't.


I've run many phpbb installs over the years and know they do not store passwords normally. (They used some of the poorest hashing back in the days this forum is from, though - I don't know what the current situation is). My idea was that these forums are modded and it was very possible it didn't do things the same way as a plain install.


I can say, for certainty, that we would NEVER edit the forum to store plain-text passwords. That would be absurd.

As for phpBB2, it uses unsalted MD5. Granted, in this day and age that's terrible, but I'll note two things: 1) this is what all forum software of this age use (some salted, but it was all MD5), and 2) this is only a concern if the database is somehow exposed.

As for phpBB3, it uses a slightly modified version of phpass; modified to always use the portable hashes; MD5-based salted and variable iteration count password hashes.

Your initial registration email will contain the plain-text password, but this is sent before the password is then hashed. Password forget feature will generate a unique link for you to click which will allow you to reset the password in question.

NeoThermic

Return to “Introversion Lounge”

Who is online

Users browsing this forum: No registered users and 21 guests