Jump to content
Sign in to follow this  
Murder1

Atomic passwords - stored in plaintext?

Recommended Posts

Hey all

 

I haven't been on this site for awhile and forgot my password. So I went to "Forgot my password" and followed through with the process. Instead of receiving a link which resets my password to create a temporary one, I received my old password directly in my email!

 

Isn't this a security issue? What's to stop the database admin from viewing our own passwords and trying out credentials out on other web services? What if a blackhat hacker attacks the server?

Share this post


Link to post
Share on other sites

Well, if you don't trust the site admins - like, I guess, me - then I'm not sure what I can say to make you feel otherwise... bit of a Catch 22, really.

Share this post


Link to post
Share on other sites

'best' practice says that you shouldn't use the same password across sites anyways.

 

I know I have a password I use for forums and a password I use for email accounts etc.

Share this post


Link to post
Share on other sites

It is a valid concern Hawkeye.

 

It's not that we can't trust the site admins. It's that if the sever gets hacked all the passwords/usernames may become available to the hacker.

This has happened to several quite high profile sites in recent months - remember Sony... Linkage

Share this post


Link to post
Share on other sites

That's fair, but in all honesty I think we're a low priority target. We don't keep address details, nor financial details.

Share this post


Link to post
Share on other sites

Geez guys, it's only a forum. What would be so bad if someone did hack your account? Read your PM's?

If it happened I'm sure a message to Dave and your account would be fixed.

I just am not real sure Atomic would be a place for hackers to have high on their lists.

Share this post


Link to post
Share on other sites

The thing is though most forum software, even if the password is 'encrypted' it is obtainable once the site a is compromised.

Edited by PointZeroOne

Share this post


Link to post
Share on other sites

Geez guys, it's only a forum. What would be so bad if someone did hack your account? Read your PM's?

If it happened I'm sure a message to Dave and your account would be fixed.

I just am not real sure Atomic would be a place for hackers to have high on their lists.

Except that many people reuse passwords, so popular vulnerable forums are a prime target for hackers.

Share this post


Link to post
Share on other sites

Geez guys, it's only a forum. What would be so bad if someone did hack your account? Read your PM's?

If it happened I'm sure a message to Dave and your account would be fixed.

I just am not real sure Atomic would be a place for hackers to have high on their lists.

Except that many people reuse passwords, so popular vulnerable forums are a prime target for hackers.

 

That's why you should never reuse passwords :)

Share this post


Link to post
Share on other sites

All you needs are emails and passwords to run scripts to cross-check if it's being used elsewhere, such as paypal or steam.

 

I agree that passwords should not be identical across mutliple sites as a best practice, but bear in mind that best practices for web developers is to not store passwords in plaintext either. It's listed as one of the top ten best practices in OWASP https://www.owasp.org/index.php/Category:OW...Top_Ten_Project

 

In response to 'passwords can be retrieved even if it's encrypted', encrypted passwords with the user of salted hashes will significantly decrease efforts to decrypt passwords, requiring alot more processing power and time which won't it for a 'hacker'.

 

Imagine the impact on Atomic's brand if passwords were leaked out?

Edited by Murder1

Share this post


Link to post
Share on other sites

It doesn't mean it's stored in plain-text. It means it's not salted.

It is most likely reversibly encrypted, which means that access to the database alone via something like an sql attack shouldn't give you the cleartext passwords.

TBH, it's probably safer than if it's a weak salted password, such as an md5 digest, in that case.

 

These forums run on commercial software. I highly doubt (But as I'm not an admin/sysadmin I don't know for sure) that the password is encrypted.

Share this post


Link to post
Share on other sites

Well, if you don't trust the site admins - like, I guess, me - then I'm not sure what I can say to make you feel otherwise... bit of a Catch 22, really.

 

You know, I always wondered why when I changed my password to hawk3y3isacun7 you stopped talking to me. Now I know.

Share this post


Link to post
Share on other sites

That's why you should never reuse passwords :)

You and I know this, but mortals... not so much.

 

why not?

 

of course its a no brainer in a general sense.

 

but the problem is, examples of what might happen often come across as overly paranoid or implausible, when what i want is to scare someone i know who admits to using the same password for EVERYTHING from dodgy spam email accounts to bank and work logins etc!

 

if a person is a relative nobody not being targeted specifically, how (or why) would a malicious person ever find out about their bad habit, even after one of the sites they log into was compromised?

Share this post


Link to post
Share on other sites

if a person is a relative nobody not being targeted specifically, how (or why) would a malicious person ever find out about their bad habit, even after one of the sites they log into was compromised?

You're looking at it wrong. Hackers don't target individuals, they target anyone they can. If they could easily get access to a table of passwords/usernames/e-mails, they'll run them through a script to try those details on popular websites. If you use the same password on those sites then you're screwed.

 

That's not to say Atomic is that insecure (I don't know what vulnerabilities it has, and I'm not going to try and find out), but it's something to think about.

Share this post


Link to post
Share on other sites

hackers most certainly do target some individuals sometimes!

 

but yes, i actually want them to worry about those harvesting and cross referencing vast amounts of impersonal/anonymous data with hand coded tools in a brute force search for 'hits'.

 

it is just that i will probably need more than 'hackers might run scripts n stuff' to convince this person, who is not computer geeky enough to 'get it', but tech savvy enough to grasp a more detailed scenario, as long as it doesnt seem like overly generalised FUD.

 

to this person, worrying about varied password choices is not just akin to observing the sensible precaution of wearing a seatbelt whilst travelling in a motor vehicle, but going to the extreme of strapping on a StackHat as well. of course, there can always be specifics that raise any individual's level of risk. but, if we assume this person is the perfect embodiment of a generic user of the information superhighway (lol at now quaint coinage), are they all that wrong?

Edited by @~thehung

Share this post


Link to post
Share on other sites

I know that, even with admin access to our forum back-end, I cannot see passwords. There is no plaintext store that I'm aware of (which doesn't mean there isn't one, I guess, but it's the best I can give you).

Share this post


Link to post
Share on other sites

I know that, even with admin access to our forum back-end, I cannot see passwords. There is no plaintext store that I'm aware of (which doesn't mean there isn't one, I guess, but it's the best I can give you).

 

Posted Image

 

I'm sorry Dave but that isn't good enough

Edited by PointZeroOne

Share this post


Link to post
Share on other sites

http://community.invisionpower.com/resourc...in-ipboard-r501

 

IP.Board stores members' passwords as a salted hash. Both the hash and the salt are stored in the database in the members table as members_pass_hash and members_pass_salt, respectively.

 

The hash is the md5 sum of the md5 sum of the salt concatenated to the md5 sum of the plaintext password. Expressed in PHP code, this is as follows:

$hash = md5( md5( $salt ) . md5( $password ) );

Where:

$hash is the value stored in the database column members_pass_hash.

$salt is the value stored in the database column members_pass_salt.

$password is the plaintext password.

 

The salt, is a string of 5 random characters including letters, numbers and symbols (specifically, ASCII characters 33-126, excluding 92).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×