The Daily Click ::. Forums ::. Daily Click ::. Password Security
 

Post Reply  Post Oekaki 
 

Posted By Message

Assault Andy

Administrator
I make other people create vaporware

Registered
  29/07/2002
Points
  5686

Game of the Week WinnerVIP Member360 OwnerGOTM JUNE - 2009 - WINNER!GOTM FEB - 2010 - WINNER!	I donated an open source project
27th November, 2009 at 12:49:16 -


Originally Posted by ~Matt Esch~
Why are user passwords stored in the database in a way that you can recover them? In the interest of security I suggest that user passwords are hashed in a suitable manner.



If the passwords are stored as plaintext then that's bad. But decryptable, while not ideal, isn't so bad. Where did you find information about how they are stored? Or did you try to recover a password?

 
Creator of Faerie Solitaire:
http://www.create-games.com/download.asp?id=7792
Also creator of ZDay20 and Dungeon Dash.
http://www.Jigxor.com
http://twitter.com/JigxorAndy

Clubsoft

Administrator
Weeeeeeee

Registered
  02/12/2001
Points
  254

Acoders MemberHas Donated, Thank You!May contain nutsVIP Member360 OwnerI'm an alien!Code Monkey
27th November, 2009 at 13:10:29 -

Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.

It can be changed to a password reset system if people are really that worried

 
.: ImageApocalyptic Coders - www.acoders.com :.

Codemonkey

Always Serious

Registered
  06/11/2007
Points
  164

Code MonkeyKlikCast StarVIP MemberAttention GetterWii Owner360 OwnerThe Cake is a LieCardboard BoxHero of TimeI'm a Storm Trooper
I'm on a BoatIt's-a me, Mario!PS3 OwnerSonic SpeedGOTM - SEPTEMBER 2009 - WINNER!Evil klikerPokemon Ball!I am an April Fool
27th November, 2009 at 16:23:59 -

I'm shaking in my boots!

 
You can log off any time you like, but you can't ever leave.

Muz



Registered
  14/02/2002
Points
  6499

VIP MemberI'm on a BoatI am an April FoolHonored Admin Alumnus
28th November, 2009 at 18:21:38 -

Wait, we're not allowed to view passwords?

Heh, I remember back on the old TDC codebase where some guy used to read out passwords. That's why I use a special password or very generic password for every indie site

 
Disclaimer: Any sarcasm in my posts will not be mentioned as that would ruin the purpose. It is assumed that the reader is intelligent enough to tell the difference between what is sarcasm and what is not.

Image

~Matt Esch~

Stone Goose

Registered
  30/12/2006
Points
  870

VIP Member
3rd December, 2009 at 08:59:49 -

For some reason I couldn't log in so I thought I would reset my password.... Then I got emailed my actual password (which, as it happens, I was trying to log in with, I just couldn't log in that particular day :/ ). Passwords are and should be treated as personal and sensitive information, and they should always be hashed with a salt when stored in a database. It's just common practice and makes sense.

 
http://create-games.com/project.asp?id=1875 Image


Cecilectomy

noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
3rd December, 2009 at 11:11:52 -


Originally Posted by Clubsoft
Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.

It can be changed to a password reset system if people are really that worried



not viewable by site staff withstanding, having passwords in plaintext is highly insecure. it only takes one breach of the database by a hacker to get everyones passwords and information.

also, if you have access to using https instead of http you should be taking advantage of that for logging in (as you are now on a very expensive and what i assume is a dedicated server for tdc you should have this available).

anything short of using what matt esch just mentioned (hashed with a salt), and if it is available the use of https, is just plain stupid.

 
n/a

Ski

TDC is my stress ball

Registered
  13/03/2005
Points
  10130

GOTW WINNER CUP 1!GOTW WINNER CUP 2!GOTW WINNER CUP 3!KlikCast HelperVIP MemberWii OwnerStrawberryPicture Me This Round 28 Winner!PS3 OwnerI am an April Fool
Candy Cane
3rd December, 2009 at 15:11:29 -

Nvm problem solved


Edited by Ski

 
n/a

~Matt Esch~

Stone Goose

Registered
  30/12/2006
Points
  870

VIP Member
4th December, 2009 at 19:29:11 -

Somebody hacking our email accounts is something we can't really account for unless we decide to not allow password resetting at all. Changing the password recovery to a password reset merely hides the issue that passwords can be retrieved by somebody observing the database. Changing the way users are authenticated should be pretty simple without any disruption at all.

 
http://create-games.com/project.asp?id=1875 Image


Cecilectomy

noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
5th December, 2009 at 03:06:27 -

hypertext transfer protocol secure

hacking the database can be accounted for. even if anyone had access to view entries, they would not be able to decrypt a salted hash without brute force/rainbow tables/etc., which is futile without some sort of super computer.

a hacker wouldnt even bother with encrypted passwords in a database, unless they just wanted to lock everyone out by messing with entries. they would just sniff packets being sent to the server for passwords and login names being sent. https should solve that.

 
n/a

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
5th December, 2009 at 04:23:50 -

I didn't bother with any of that, I just redirected the domain name to my phishing website when I stole all your passwords.

So that wouldn't work. Sorry.

 
n/a
   

Post Reply



 



Advertisement

Worth A Click