Topic-icon Password Security

More
10 Aug 2020 13:18 - 10 Aug 2020 15:29 #47421 by All
All created the topic: Password Security
Hi,

When you register a new Account you get the activation Email with your password.
This should not be necessary or even possible.
It shows that you save the Passwords in plain text.

I use unique passwords in a safe, but reports again and again show, others do not.
The practice of storing the passwords unencrypted puts those in danger.

https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/

This is not about how likely it is that pokerth gets hacked, or the consequences of a hack.
Basic password security should be expected everywhere.

You show that you care about Security in the login
[ ] save Password (not recommended)
so please consider to change how you store your user data.

edit: stupid typo

Please Log in or Create an account to join the conversation.

More
10 Aug 2020 13:49 #47422 by boehmi
boehmi replied.
Passwords are saved encrypted in the database. I can't tell you which algorithm is used, sp0ck knows better.

Of course, at the time of sign-up the password exists in plain text and is included in the confirmation email. I kind of agree with you that it should not be sent in plain text.
The following user(s) said Thank You: israelac

Please Log in or Create an account to join the conversation.

More
10 Aug 2020 14:54 #47425 by sp0ck
sp0ck replied.
I partially agree:

many users really forget their password and do not even know how to reset it because they do not check the forum or kinda.

Anything worth to hack is an email address from a player, as email address and password are the only thing stored.

If there would be any more sensitive personal data, I'd switch to a real hash mechanism. But that would mean getting rid of an old gsasl library - meaning a new client release and server code changes.

In the database the passwords are stored encrypted with a Salt. So you need the salt in order to unencrypt a password.

Please Log in or Create an account to join the conversation.

More
10 Aug 2020 17:00 #47426 by All
All replied.
Well, as long as they are stored encrypted, but sending it is still a bit sketchy.
or at least not best practice. Even it the mail where encrypted and deleted.
Users forgetting their login but keeping the confirmation email is not a good excuse to send the password, imho.
Once a login (password + email) is obtained it will be tested everywhere.
So even if does not matter for pokerth, its good to protect the users.
Its just a no-no in my book.

Please Log in or Create an account to join the conversation.

More
10 Aug 2020 17:07 #47427 by sp0ck
sp0ck replied.
From the principle point of few I still agree.

But from the relevance point of view at this platform, I do not. Every user who cares can reset/change his password directly after email confirmation as this is a very advisable strategy too.

Please Log in or Create an account to join the conversation.

More
10 Aug 2020 18:01 #47428 by All
All replied.
Don't take it personally but you are shifting from:
"many users really forget their password and do not even know how to reset it because they do not check the forum or kinda."
to:
" Every user who cares can reset/change his password directly after email confirmation as this is a very advisable strategy too."
in an attempt to justify what is broadly considered bad practice.
No matter how critical the application is.

Please Log in or Create an account to join the conversation.

Champions of

PokerTH - live

The PokerTH spectator tool.

Member Login

 advert
NOTE! This site uses cookies and similar technologies.
Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information

We use cookies to personalize content and ads to offer features for social media and analyze the number of hits on our website. We also provide information about your use of our website to our partner for social media, advertising and analysis on.
http://www.google.com/intl/de/policies/privacy/partners/