Assault Andy Administrator
I make other people create vaporware
Registered 29/07/2002
Points 5686
27th November, 2009 at 12:49:16 -
Originally Posted by ~Matt Esch~ Why are user passwords stored in the database in a way that you can recover them? In the interest of security I suggest that user passwords are hashed in a suitable manner.
If the passwords are stored as plaintext then that's bad. But decryptable, while not ideal, isn't so bad. Where did you find information about how they are stored? Or did you try to recover a password?
Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.
It can be changed to a password reset system if people are really that worried
Heh, I remember back on the old TDC codebase where some guy used to read out passwords. That's why I use a special password or very generic password for every indie site
Disclaimer: Any sarcasm in my posts will not be mentioned as that would ruin the purpose. It is assumed that the reader is intelligent enough to tell the difference between what is sarcasm and what is not.
For some reason I couldn't log in so I thought I would reset my password.... Then I got emailed my actual password (which, as it happens, I was trying to log in with, I just couldn't log in that particular day :/ ). Passwords are and should be treated as personal and sensitive information, and they should always be hashed with a salt when stored in a database. It's just common practice and makes sense.
Originally Posted by Clubsoft Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.
It can be changed to a password reset system if people are really that worried
not viewable by site staff withstanding, having passwords in plaintext is highly insecure. it only takes one breach of the database by a hacker to get everyones passwords and information.
also, if you have access to using https instead of http you should be taking advantage of that for logging in (as you are now on a very expensive and what i assume is a dedicated server for tdc you should have this available).
anything short of using what matt esch just mentioned (hashed with a salt), and if it is available the use of https, is just plain stupid.
Somebody hacking our email accounts is something we can't really account for unless we decide to not allow password resetting at all. Changing the password recovery to a password reset merely hides the issue that passwords can be retrieved by somebody observing the database. Changing the way users are authenticated should be pretty simple without any disruption at all.
hacking the database can be accounted for. even if anyone had access to view entries, they would not be able to decrypt a salted hash without brute force/rainbow tables/etc., which is futile without some sort of super computer.
a hacker wouldnt even bother with encrypted passwords in a database, unless they just wanted to lock everyone out by messing with entries. they would just sniff packets being sent to the server for passwords and login names being sent. https should solve that.