Why are passwords stored as plain text? (Spoiler: They're not)
#1
Why in the name of Christ does this site store passwords as plaintext? I got a mail with my password a few days ago, which should never be possible!

Storing passwords as plain text leaves a big hole in the site's security. Hashing and salting of all passwords needs to be implemented immidiately. If you have no clue about any of this, watch this video from Tom Scott
https://www.youtube.com/watch?v=8ZtInClXe1Q

Basically, it's incredibly insecure to store passwords as plain text, because it's possible for anyone with access to the database to read literally every users' password, which would not be the case if they were hashed and salted.

Any site that emails you your password, can only do so if it stores it as plain text, which, again, is an incredibly naive and bad practise.
Reply

Sponsored links

#2
What are you talking about? You can't request your password to be emailed to you. If you say "forgot password" it sends you a link to reset your password and and activation key.

Even if this is true (which I'm skeptical of) I'm not even sure we have any control over how they are stored, we use MyBB so it would be on them.
[Image: ref-sig-anim.gif]

Reply
#3
All mybb passwords are hashed/salted, you probably copy/pasta that video everywhere you knew without doing any research before it seems? Mybb *never* emailed you any passwords in any case.
[Image: newsig.jpg]
Reply
#4
Also you registered with a spam email address that only lasts 10 minutes, so how you got an email from it 3 years later, I do not know.
[Image: ref-sig-anim.gif]

Reply
#5
(07-27-2021, 08:16 PM)refraction Wrote: What are you talking about? You can't request your password to be emailed to you. If you say "forgot password" it sends you a link to reset your password and and activation key.

Even if this is true (which I'm skeptical of) I'm not even sure we have any control over how they are stored, we use MyBB so it would be on them.
No, it literally sent my password to my mail. The password it sends is the same password i use to login, i didn't change my password manually at any point. I clicked on forgot password, entered the activation code and it generated a new password for me that got sent to my mail. This would only be possible if passwords are stored in plain text. You can try it yourself and see they really do this, or just look at the screenshot below.  

[Image: CaaaVon.png]
(07-27-2021, 08:27 PM)Bositman Wrote: All mybb passwords are hashed/salted, you probably copy/pasta that video everywhere you knew without doing any research before it seems? Mybb *never* emailed you any passwords in any case.

The irony of you telling me I don't know what I'm talking about, when not only is this the first time I have ever posted any of his videos or any video about hashing/salting, mybb DO in fact neither hash or salt their passwords. If you don't believe me, try it yourself, click on the " I forgot my password", use the activiasion key, and they will send you a new password to your mail. Or literally just look at the screenshot above. A website never sends you your password unless it's stored as plain text, which is the case here. I strongly suggest you take your own advice, and do some research before you make any input?

(07-27-2021, 08:32 PM)refraction Wrote: Also you registered with a spam email address that only lasts 10 minutes, so how you got an email from it 3 years later, I do not know.
nah, i used to have a normal mail account, but I had to change my mail after finding out about this.  it wouldnt let me change my mail to any of my other normal mails, i tried many times for hours but they never sent me the mail that let me change my mail , so i decided to use a tempoary one instead, which worked instantly.
Reply
#6
Okay, well if the you entering a new password and it emailing it to you after you've reset it is a problem, you need to speak to MyBB, we have no control over that. the only reason I can see them doing this is if you reset your password and it gives you a temporary password which you're supposed to change, if you don't update it then that's your own fault. But this is probably a safety mechanism in case everybody needs their passwords resetting.

If they change it and release a new version, we will upgrade to it.

But I can assure you there's no other time that the forum will reveal your password.

That said, a colleague reset their password and they didn't get it emailed to them at all, so unless you've chosen to get an auto generated password, I can't see why it would email your password.

Edit: Yep I just tested it, it's a temporary auto generated password which it EXPECTS YOU TO CHANGE (read the line that says "once you login you should change it by going to your User Control Panel."), how else would you know the new auto generated password if it didn't tell you? You certainly get no opportunity to enter one.
[Image: ref-sig-anim.gif]

Reply
#7
well on pretty much any site i have used, i have reset my password many many times, and i cant remember a single one other than this one that send you a temporary password. is this common? and you're right, it doesnt seem like they send your password to you after you change it, thank god. i havent activated any generate password setting, but i will try and see if i can talk to mybb
Reply
#8
It's pretty common to mail a temp password and instruct a user to change it, happens on a few sites I use.
The important part is if you change it it will be hashed/salted so no worries here.
[Image: HkgHT5k.gif]
もっとちゃんと言ってよ
忘れないようメモにしてよ



Reply
#9
That password is temporary as it states and is not stored anywhere, so no you do not know what you are talking about. It is also very common practice to email a temp pass, then ask for a new pass. Also if you do not use the temporary password, your actual password will never change, so unless your email is already compromised, there is 0 risk (it if it, it's your problem not the forums)

So in fact all your initial statements were false, just like we told you: mybb did NOT email you your password (and it can't, it's obfuscated), and no password is stored in plain text.
[Image: newsig.jpg]
Reply
#10
(07-27-2021, 10:10 PM)taclicop Wrote: I clicked on forgot password, entered the activation code and it generated a new password for me that got sent to my mail. This would only be possible if passwords are stored in plain text. You can try it yourself and see they really do this, or just look at the screenshot below.  

  1. Server has your current password stored salted and hashed
  2. You request a password reset
  3. The server generates a new password
  4. The server emails the newly generated password to you
  5. The server salts, hashes, and stores the newly generated password
  6. The server clears the unhashed password from memory
  7. You log in with the newly generated password

These steps outline a way to give the behavior you saw while salting and hashing user passwords. If you think it's not possible, then please specify which of these steps is not possible or explain why these steps would not give the behavior you saw.
Reply




Users browsing this thread: 4 Guest(s)