Jump to content

ANSWERED:About passwords being emailed to users...

Recommended Posts

Hiya. I only just joined today, I don't know who the admins are, and I don't have a Twitter or Facebook to contact that way. I suppose I could have emailed in retrospect, but I chose to try the forum first. If someone could direct me to the proper channels, I'd really appreciate it! (PMs here would be ideal.)


Anyway, when I joined, I was emailed my username and password in plain text. This means the site is also storing the passwords. That means, should dragcave.net ever be breached or hacked, anyone who uses the same password/email combo elsewhere is at a very high risk. I'd like to suggest to the admin here that this be changed. I know this is an old site, but it's 2016 and many, many sites have already fallen under attack and continue to do so.


Here's a FAQ with more info: For users and for devs. I did not write these pages, so I apologise if the tone is a little harsh on them.


If you've used the same password on multiple sites (whether this site is one of them or not), I highly recommend you change them, and get a password manager. Check your email address here to see if your info's already been leaked in another breach, in fact.

Share this post

Link to post

I'm a little confused... How do you know the server/site is storing the password in plain text? As far as I know, it's entirely possible to encrypt things server-side but still be able to email them out as plain text. Is your issue with the fact that they're literally emailing you your password? Like, the email could get hacked/intercepted and then people would have your password?


Never mind, I read the links you posted. I understand more why this could be bad. This is an issue that should probably be addressed... I guess we'll have to wait for TJ to see this and address it. He's the only person who has full admin access to the site and so is the only one who could implement a change to address this.

Edited by Vrack

Share this post

Link to post

Passwords are not stored in plain text. They were at one point stored as md5 hashes, and a while ago I implemented bcrypt (harder to crack + salted), but were never stored in plain text.


The only time you will ever see your password sent from the site in plaintext is when you first register; it is already available to include in that e-mail because you just submitted it to the server (presumably over HTTPS, which the site supports). The merits of that one time inclusion are debatable, but the issue is much less dire than you seem to paint it.

Share this post

Link to post
Anyway, when I joined, I was emailed my username and password in plain text. This means the site is also storing the passwords.

No, don't worry. smile.gif You might be confusing the scenario with being able to retrieve your password via email after registering, with the 'forgot password' function. If the site is able to give you your plaintext password then, then it means it's storing it in plaintext.


Emailing passwords at registration time is fairly standard practise (although not necessary, and in itself potentially suboptimal, since if anyone snoops the mail they have your password), and involves passing the password you typed through to the mail, as TJ said.

Share this post

Link to post
This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.