On forum: 05/23/2009
Message edited by:
-----BEGIN PGP SIGNED MESSAGE-----|
The password recovery form states that a user's username and password will be emailed to them after they provide their email address. The subsequent email will contain the user's username and password. The email may or may not have been transmitted securely via the Transport Layer Security (TLS) protocol.
If the email was not transmitted using TLS then the user's login credentials were just broadcast across the Internet in plaintext.
If the email was transmitted using TLS then that means little anyway because the gsc-game.com website including login page are transmitted over Hypertext Transfer Protocol (HTTP). If HTTPS is used then the browser will display an ERR_CERT_COMMON_NAME_INVALID error.
The issue of receiving a password in plaintext is that it strongly suggests that GSC Game World Forums is storing users' passwords in plaintext or encrypted form. This practice is insecure to such an extreme as to be borderline criminally negligent.
The proper and secure method of storing passwords is to store the hash of the password. Password hashing functions such as bcrypt, scrypt, PBKDF2, and others are recommended for hashing passwords. The input is the user's password and the output is a hash that has gone through thousands, possibly tens of thousands, of iterations.
If you have an account on this forum then make sure that the password that you use to login is not used anywhere else.
https://www.ssllabs.com/ssltest/analyze.html?d=gsc-game.com - SSL Report
https://discovery.cryptosense.com/analyze/gsc-game.com/1eebf95 - Cryptosense Report
http://plaintextoffenders.com/faq/devs - Developers FAQ
https://youtu.be/8ZtInClXe1Q - How NOT to Store Passwords! by Computerphile
https://youtu.be/7U-RbOKanYs - Password Cracking by Computerphile
https://youtu.be/yoMOAIzBSpY - YouTube Doesn't Know Your Password by Tom Scott
https://haveibeenpwned.com/PwnedWebsites - A list of website data breaches. Note the many sites that stored their users' information in plain text.
https://cryptosense.com/measuring-pbkdf-strength/ - Measuring PBKDF strength
https://tools.ietf.org/html/rfc7914 - RFC 7914 - The scrypt Password-Based Key Derivation Function
http://world.std.com/~reinhold/diceware.html - The Diceware Passphrase Home Page
Edit: Formatting and clear signature - 2018-02-22
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----