ProjectsWhat's NewDownloadsCommunitySupportCompany
Forum Index » GSC General Forum » Support
GSC Game World Forums Appears to Store Passwords in Plaintext

Posted by/on
Question/AnswerMake Newest Up Sort by Descending
  13:23:04  22 February 2018
profilee-mailreply Message URLTo the Top
Tempest Flea
(Novice)
 
On forum: 05/23/2009
 

Message edited by:
Tempest Flea
02/22/2018 13:31:07
Messages: 1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The password recovery form states that a user's username and password will be emailed to them after they provide their email address. The subsequent email will contain the user's username and password. The email may or may not have been transmitted securely via the Transport Layer Security (TLS) protocol.

If the email was not transmitted using TLS then the user's login credentials were just broadcast across the Internet in plaintext.

If the email was transmitted using TLS then that means little anyway because the gsc-game.com website including login page are transmitted over Hypertext Transfer Protocol (HTTP). If HTTPS is used then the browser will display an ERR_CERT_COMMON_NAME_INVALID error.

The issue of receiving a password in plaintext is that it strongly suggests that GSC Game World Forums is storing users' passwords in plaintext or encrypted form. This practice is insecure to such an extreme as to be borderline criminally negligent.

The proper and secure method of storing passwords is to store the hash of the password. Password hashing functions such as bcrypt, scrypt, PBKDF2, and others are recommended for hashing passwords. The input is the user's password and the output is a hash that has gone through thousands, possibly tens of thousands, of iterations.

If you have an account on this forum then make sure that the password that you use to login is not used anywhere else.

Further reading:
https://www.ssllabs.com/ssltest/analyze.html?d=gsc-game.com - SSL Report
https://discovery.cryptosense.com/analyze/gsc-game.com/1eebf95 - Cryptosense Report
http://plaintextoffenders.com/faq/devs - Developers FAQ
https://youtu.be/8ZtInClXe1Q - How NOT to Store Passwords! by Computerphile
https://youtu.be/7U-RbOKanYs - Password Cracking by Computerphile
https://youtu.be/yoMOAIzBSpY - YouTube Doesn't Know Your Password by Tom Scott
https://haveibeenpwned.com/PwnedWebsites - A list of website data breaches. Note the many sites that stored their users' information in plain text.
https://cryptosense.com/measuring-pbkdf-strength/ - Measuring PBKDF strength
https://tools.ietf.org/html/rfc7914 - RFC 7914 - The scrypt Password-Based Key Derivation Function
http://world.std.com/~reinhold/diceware.html - The Diceware Passphrase Home Page

Edit: Formatting and clear signature - 2018-02-22
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2ANIp0sBqobea64Y8gXGkLMgwXQFAlqOqKQACgkQ8gXGkLMg
wXT5OQ/+IXovUtvS9+kFAVsfWR3PvKpsMov76OqFS7iy3DS6vcEFtIQTk5+qzbNq
xELk9XK2bK2obYTHuSByQknBnh1iBrtvbYN4Kc23zNkr2X36hcfE02+48ttHeUeS
eox6qcW+C9+3aALKVTa7lx9c3rlrx8q/n8kI1saAb9yrd/MmuRS6AS152fH+Oks4
BI5sd+VhKlScy85nbngmWdtg337W1r+u8kJ44qYrTggVZ7USBamzEWUxWy8k+XMG
451yk2CDt9n6MWN7+BzhEB0D8sXN5yJ+lb06kX8pf7r58gN4bUIQInPcDUwqstw9
n/pLe8Hkxvf/s67sWwd3rXbM3XvhEj3yCb3feifluAZ4AePbU/oE/Te94mnNqD6/
wN80ziydjLbCpXAW4Ffwbn2Sk/p1O9bvrvFX2jNEjYKhqWZ2wixQ4TI92MYXD1/E
oozAuZX79nAcq9tj9HBZwmI6lxw2Dm+BcKRdx66sT66v3EkdIxeutjvsu/fmm/C7
+giIgCv1+PUu3I0qqKvk4QFfgD345rXtQafXsSP5IbWjWTPnVhvo4//DByg3XQvw
2TAayJpqu3ZH113sMt/WT4sRMYQE0JXSIJ0cL5mQjctmC1n5Tx8h8Yp66OawndsB
AcWUr9ON6qSxijG7YjYhrmtKhsSsofdVGM06YXptUUGkVeHKgug=
=6ro6
-----END PGP SIGNATURE-----
  07:59:43  16 May 2018
profilee-mailreply Message URLTo the Top
Don Reba
Bishop and Councilor of War
(Moderator)

 

 
On forum: 12/04/2002
Messages: 11561
It does store passwords in plaintext. We know it's dumb and irresponsible, but the forum engine was written a long time ago and is long beyond serious modification.
  10:52:16  25 May 2018
profilee-mailreply Message URLTo the Top
ManOwaR
Linux Lover
(Administrator)

 

 
On forum: 01/01/2001
Messages: 101
The site was switched to secure protocol (https://). So now it should not be a major issue. We'll also try to get rid of plain text password if it takes some reasonable amount of resources.
 
Each word should be at least 3 characters long.
Search:    
Search conditions:    - spaces as AND    - spaces as OR   
 
Forum Index » GSC General Forum » Support
 

All short dates are in Month-Day-Year format.


 

Copyright © 1995-2018 GSC Game World. All rights reserved.
This site is best viewed in Internet Explorer 4.xx and up and Javascript enabled. Webmaster.
Opera Software products are not supported.
If any problem concerning the site functioning under Opera Software appears apply
to Opera Software technical support service.