Plain Text Passwords

Practice posts and questions about the boards. The registration code for this board is 'Th3G@m|ngD3n' (Note the use of numbers and symbols!)

Moderator: Moderators

Post Reply
krainboltgreene
Apprentice
Posts: 50
Joined: Sun May 30, 2010 6:15 am
Location: Eugene, Oregon
Contact:

Plain Text Passwords

Post by krainboltgreene »

Is there any chance the admins can stop storing passwords in plain text, or at least warn users that passwords are accessible in plain text?
User avatar
fbmf
The Great Fence Builder
Posts: 2590
Joined: Fri Mar 07, 2008 7:54 pm

Post by fbmf »

[TGFBS]
Forwarded to the IT Department.
[/TGFBS]
User avatar
Zherog
Knight-Baron
Posts: 907
Joined: Fri Mar 07, 2008 7:54 pm

Post by Zherog »

Oooh - I'm the IT Department now, rather than "that jerk that takes three months to solve the e-mail problem?" Sweet!

I have to admit I'm not sure what you're talking about, krain. If I go to the admin console I can't see your password (or anybody else's for that matter). It's possible that if I were to log into the database directly, I'd see what you're talking about. But I don't have MySQL setup on this PC so I can't login now to check.

Can you elaborate as to why you think the password is stored in plain text? That might help me find a solution.
You can't fix stupid.

"A life is not important except in the impact it has on other lives." ~ Jackie Robinson
User avatar
fbmf
The Great Fence Builder
Posts: 2590
Joined: Fri Mar 07, 2008 7:54 pm

Post by fbmf »

Zherog wrote:Oooh - I'm the IT Department now, rather than "that jerk that takes three months to solve the e-mail problem?" Sweet!
Congrats on your promotion.
I have to admit I'm not sure what you're talking about, krain.
Oh, thank God. I had no clue either.

Game On,
fbmf
krainboltgreene
Apprentice
Posts: 50
Joined: Sun May 30, 2010 6:15 am
Location: Eugene, Oregon
Contact:

Post by krainboltgreene »

Sure. When I created the account I was given a confirmation email. This confirmation email had both my user name and my password (plaintext).

This is a really big sign that the passwords are stored in plain text, and it looks like it's a persistent issue even in 3.04: http://www.phpbb.com/community/viewtopi ... &t=1548605

Ideally passwords should be stored as a MD5+SHA-1, perhaps Salt. Here's a great article on how it should be done (and why): http://www.devbistro.com/articles/Java/ ... Encryption

And here, with more verbose points: http://www.codinghorror.com/blog/2007/0 ... ectly.html (scroll down to see the bullet points.

While The Gaming Den is likely to never be targeted, sending over email is still a big problem, especially if they use the same or similar password for other services.
Post Reply