Forum

I just registered to your site, and received an email giving further instructions to activate my account.

And what's creepy about that is, that i received my password in PLAINTEXT. Is this how you store our passwords in your database?

You should start worrying about that couse its NOT the right way of doing that. Either save HASH of the password or the SaltedHASH of it (more secure).

Please consider this.

Best regards

I admit it's ridiculous to send the plaintext password in an email. That's just how old and retarded phpBB2 is. But only the hash of the password is stored in the database.

If its stored as hash how its possible to send me back the plaintext of it.

I suggest you to take a little time and 'maintain' some tiny parts of your code and get it fixed, because sooner or later this vulnerability gonna cost much more.

Just saying, you know.
I wouldn't want anyone to have even the smallest possibility to gain access over my account.

Why would someone care to hack an ANN account anyway? I mean, the most they could find out is an email address, unless you're just hiding all kinds of important names and numbers throughout your "my ANN" tabs, which I really don't recommend.

^
Well Tony K., if someone hacked ANN and nabbed your password they could wreck all kinds of havoc with your Mod powers. Heck, even if you weren't a Moderator they could still make insulting, derogatory and abusive posts in your name and hurt your reputation before the Mods finally shut them down. Heck, if they really wanted to land you in hot water they'd use your account to directly post child porn pictures on the forum. Even if it could be easily disproved that it wasn't you who posted them, it would still be an extremely uncomfortable experience for you.

So I can see why some people would be a bit nervous if they believe - rightly or wrongly - that their password is not secure.

Now, I have no idea if the passwords are securely stored, but since I've never heard of ANN login passwords being stolen before, and since Dan42 isn't fretting over it, I'm not going to be losing much sleep over the matter. Obviously the OP is a bit more cautious than I am.

Well if someone wanted wreck havoc around the Internet, I think they could probably find a better place to do it than a website full of anime/manga/Japanese-related news. People who generally have that kind of god complex more than likely wouldn't limit themselves to such esoteric groundings anyway. And if they did hack someone's account just to defame the person, then it's likely more so a personal vendetta, which would just be sad and pathetic to even commit in the first place. It's like saying, "I have all these super hacking skills, but instead of making money off of it, I'm gonna' pretend to be this other guy and make him look bad! Mwa ha ha ha~!"

It'd be like some 4th-rate villain out of a character lineup in Despicable Me. The least they can do is show a little more ambition.

neonsign wrote:

If its stored as hash how its possible to send me back the plaintext of it.

When you register for the site, you are entering your password as plain text. Once you submit it, two things are done:

It is sent to you the way you entered it (i.e. plain text).
It is hashed and stored in the database.

As long as you can keep your email account secure: being sent your password to a forum is not the end of the world.

I should point out, knowing phpBB2 and phpBB3, that however the password is saved, the database can't recover it for you, nor can an administrator access your password (they can change it, but they can't see what it is).

Dessa wrote:

however the password is saved, the database can't recover it for you

That's because the password is saved as a hash.

this helped me more than enough.
thanks a lot bros.

this did bring my sleep back.
cheers Very Happy

dtm42 wrote:

^
Well Tony K., if someone hacked ANN and nabbed your password they could wreck all kinds of havoc with your Mod powers.

Staff have to have stronger password than other members. Dan has checks in place.

@Shiroi Hane Biometrics, with a dongle, password, key code, IP, Mac, and (assuming Windows) the unique ID? Or just more complex passwords?

^
I like to think that this is how all ANN Staff members log into their accounts.

Yeah, that seems about right.

And I often feel like a lot of users have hearing impairments from the Cone of Silence...

Forum - View topic
Password problem!!!

The Apothecary Diaries Season 1 Part 1 BD Anime Review

Getting To Know The Hosts Of The Award-Winning Shoujo Sundae Podcast

Shōgo Imamura's Historical Firefighter Novel Hikuidori Get TV Anime, Manga

Tokyo Ghoul - Complete Series - 10th Anniversary Box Set Anime Series Review

This Week in Anime - But Is it Anime? The Last Airbender Edition

Macross -Shooting Insight- Game Review

History of Saban: Part 2

GUILTY GEAR -STRIVE- Nintendo Switch Port Game Review

Monster Hunter Wilds Game Review

Utahime Dream Music Project Gets TV Anime

Touring After the Apocalypse Manga Gets TV Anime This Year

Blue Miburo Episodes 1-12 Anime Series Review

BLEACH G.E.M. Series Figurine Giveaway

MACROSS -Shooting Insight- Digital Key Giveaway

	Anime News Network Forum Index -> Site-related -> Bugs & Technical Questions	All times are GMT - 5 Hours
Page 1 of 1

Forum - View topicPassword problem!!!

Forum

Forum - View topic
Password problem!!!