ProjectsWhat's NewDownloadsCommunitySupportCompany
Forum Index » GSC General Forum » Support
GSC Game World Forums Appears to Store Passwords in Plaintext

Posted by/on
Question/AnswerMake Newest Up Sort by Descending
  13:23:04  22 February 2018
profilee-mailreply Message URLTo the Top
Tempest Flea
On forum: 05/23/2009

Message edited by:
Tempest Flea
02/22/2018 13:31:07
Messages: 1
Hash: SHA512

The password recovery form states that a user's username and password will be emailed to them after they provide their email address. The subsequent email will contain the user's username and password. The email may or may not have been transmitted securely via the Transport Layer Security (TLS) protocol.

If the email was not transmitted using TLS then the user's login credentials were just broadcast across the Internet in plaintext.

If the email was transmitted using TLS then that means little anyway because the website including login page are transmitted over Hypertext Transfer Protocol (HTTP). If HTTPS is used then the browser will display an ERR_CERT_COMMON_NAME_INVALID error.

The issue of receiving a password in plaintext is that it strongly suggests that GSC Game World Forums is storing users' passwords in plaintext or encrypted form. This practice is insecure to such an extreme as to be borderline criminally negligent.

The proper and secure method of storing passwords is to store the hash of the password. Password hashing functions such as bcrypt, scrypt, PBKDF2, and others are recommended for hashing passwords. The input is the user's password and the output is a hash that has gone through thousands, possibly tens of thousands, of iterations.

If you have an account on this forum then make sure that the password that you use to login is not used anywhere else.

Further reading: - SSL Report - Cryptosense Report - Developers FAQ - How NOT to Store Passwords! by Computerphile - Password Cracking by Computerphile - YouTube Doesn't Know Your Password by Tom Scott - A list of website data breaches. Note the many sites that stored their users' information in plain text. - Measuring PBKDF strength - RFC 7914 - The scrypt Password-Based Key Derivation Function - The Diceware Passphrase Home Page

Edit: Formatting and clear signature - 2018-02-22

  07:59:43  16 May 2018
profilee-mailreply Message URLTo the Top
Don Reba
Bishop and Councilor of War


On forum: 12/04/2002
Messages: 11725
It does store passwords in plaintext. We know it's dumb and irresponsible, but the forum engine was written a long time ago and is long beyond serious modification.
  10:52:16  25 May 2018
profilee-mailreply Message URLTo the Top
Linux Lover


On forum: 01/01/2001
Messages: 97
The site was switched to secure protocol (https://). So now it should not be a major issue. We'll also try to get rid of plain text password if it takes some reasonable amount of resources.
Each word should be at least 3 characters long.
Search conditions:    - spaces as AND    - spaces as OR   
Forum Index » GSC General Forum » Support

All short dates are in Month-Day-Year format.


Copyright © 1995-2021 GSC Game World. All rights reserved.
This site is best viewed in Internet Explorer 4.xx and up and Javascript enabled. Webmaster.
Opera Software products are not supported.
If any problem concerning the site functioning under Opera Software appears apply
to Opera Software technical support service.