The Daily Click ::. Forums ::. Daily Click ::. Password Security
 

Post Reply  Post Oekaki 
 

Posted By Message

~Matt Esch~

Stone Goose

Registered
  30/12/2006
Points
  870

VIP Member
26th November, 2009 at 18:48:42 -

Why are user passwords stored in the database in a way that you can recover them? In the interest of security I suggest that user passwords are hashed in a suitable manner.

 
http://create-games.com/project.asp?id=1875 Image


Codemonkey

Always Serious

Registered
  06/11/2007
Points
  164

Code MonkeyKlikCast StarVIP MemberAttention GetterWii Owner360 OwnerThe Cake is a LieCardboard BoxHero of TimeI'm a Storm Trooper
I'm on a BoatIt's-a me, Mario!PS3 OwnerSonic SpeedGOTM - SEPTEMBER 2009 - WINNER!Evil klikerPokemon Ball!I am an April Fool
26th November, 2009 at 18:58:46 -

I say we use good old fashioned honesty instead.

Oh wait...

 
You can log off any time you like, but you can't ever leave.

AndyUK

Mascot Maniac

Registered
  01/08/2002
Points
  14586

Game of the Week WinnerSecond GOTW AwardHas Donated, Thank You!VIP Member
26th November, 2009 at 20:44:28 -

heh, if it was as easy as being honest we wouldn't even need passwords.

 
.

aphant



Registered
  18/05/2008
Points
  1242
26th November, 2009 at 21:14:05 -

I can't really think of anything of particular interest on this site that would require secure passwords.

 

Lazernaut



Registered
  08/09/2002
Points
  1103

VIP MemberThe Cake is a LieIt's-a me, Mario!Wii OwnerPokemon Ball!
26th November, 2009 at 21:57:04 -

Fact is a lot of people use the same password on more than 1 site, and it's better to be safe than sorry. Tbh it's common practice on most websites to store passwords encrypted.

 
n/a

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
26th November, 2009 at 22:06:05 -

Don't worry about it guys. I've ready stolen all the passwords anyways.

 
n/a

Silveraura

God's God

Registered
  08/08/2002
Points
  6747

Game of the Week WinnerKlikCast StarAlien In Training!VIP Member360 OwnerWii OwnerSonic SpeedThe Cake is a LieComputerChristmas Tree!
I am an April Fool
27th November, 2009 at 00:35:56 -

Damn you UrbanMonk.

 
http://www.facebook.com/truediamondgame

Codemonkey

Always Serious

Registered
  06/11/2007
Points
  164

Code MonkeyKlikCast StarVIP MemberAttention GetterWii Owner360 OwnerThe Cake is a LieCardboard BoxHero of TimeI'm a Storm Trooper
I'm on a BoatIt's-a me, Mario!PS3 OwnerSonic SpeedGOTM - SEPTEMBER 2009 - WINNER!Evil klikerPokemon Ball!I am an April Fool
27th November, 2009 at 01:04:22 -


Originally Posted by SiLVERFIRE
Damn you UrbanMonk.



Dude you just guessed my password.

 
You can log off any time you like, but you can't ever leave.

Pixelthief

Dedicated klik scientist

Registered
  02/01/2002
Points
  3419

Game of the Week WinnerWeekly Picture Me This Winner!You've Been Circy'd!VIP MemberI like Aliens!Evil klikerThe SpinsterI donated an open source project
27th November, 2009 at 02:47:54 -

Hey guys this is UrbanMonk, just demonstrating how cool it is!
ps sorry pixelthief, just wanted an example account

 
Gridquest V2.00 is out!!
http://www.create-games.com/download.asp?id=7456

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
27th November, 2009 at 02:53:50 -

I love proxies!

 
n/a

Jon Lambert

Administrator
Vaporware Master

Registered
  19/12/2004
Points
  8235

VIP MemberWii OwnerTDC Chat Super UserI am an April FoolSSBB 3265-4741-0937ACCF 3051-1173-8012360 Owner
27th November, 2009 at 03:46:36 -

Now I will demonstrate my powers to a greater extent with an admin's account! Don't worry i won't ban anyone.

 
Sandwich Time!Whoo!

JoyCheck & KeyCheck Widgets
For easy implementation of customizable joystick and keyboard controls.
http://www.create-games.com/download.asp?id=8364

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
27th November, 2009 at 04:02:10 -

Image



 
n/a

Jon Lambert

Administrator
Vaporware Master

Registered
  19/12/2004
Points
  8235

VIP MemberWii OwnerTDC Chat Super UserI am an April FoolSSBB 3265-4741-0937ACCF 3051-1173-8012360 Owner
27th November, 2009 at 04:43:13 -

That was a rather good try, but the mail count is wrong.

woops didn't mean to spoil it OH WAIT YEAH I DID

 
Sandwich Time!Whoo!

JoyCheck & KeyCheck Widgets
For easy implementation of customizable joystick and keyboard controls.
http://www.create-games.com/download.asp?id=8364

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
27th November, 2009 at 05:01:29 -

I just didn't want anyone to know your REAL mail count!

it's embarrasing having only 2 mails, and I didn't want you to have to go through the mental grief!

 
n/a

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
27th November, 2009 at 05:01:32 -

Grr

Edited by UrbanMonk

 
n/a

Assault Andy

Administrator
I make other people create vaporware

Registered
  29/07/2002
Points
  5686

Game of the Week WinnerVIP Member360 OwnerGOTM JUNE - 2009 - WINNER!GOTM FEB - 2010 - WINNER!	I donated an open source project
27th November, 2009 at 12:49:16 -


Originally Posted by ~Matt Esch~
Why are user passwords stored in the database in a way that you can recover them? In the interest of security I suggest that user passwords are hashed in a suitable manner.



If the passwords are stored as plaintext then that's bad. But decryptable, while not ideal, isn't so bad. Where did you find information about how they are stored? Or did you try to recover a password?

 
Creator of Faerie Solitaire:
http://www.create-games.com/download.asp?id=7792
Also creator of ZDay20 and Dungeon Dash.
http://www.Jigxor.com
http://twitter.com/JigxorAndy

Clubsoft

Administrator
Weeeeeeee

Registered
  02/12/2001
Points
  254

Acoders MemberHas Donated, Thank You!May contain nutsVIP Member360 OwnerI'm an alien!Code Monkey
27th November, 2009 at 13:10:29 -

Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.

It can be changed to a password reset system if people are really that worried

 
.: ImageApocalyptic Coders - www.acoders.com :.

Codemonkey

Always Serious

Registered
  06/11/2007
Points
  164

Code MonkeyKlikCast StarVIP MemberAttention GetterWii Owner360 OwnerThe Cake is a LieCardboard BoxHero of TimeI'm a Storm Trooper
I'm on a BoatIt's-a me, Mario!PS3 OwnerSonic SpeedGOTM - SEPTEMBER 2009 - WINNER!Evil klikerPokemon Ball!I am an April Fool
27th November, 2009 at 16:23:59 -

I'm shaking in my boots!

 
You can log off any time you like, but you can't ever leave.

Muz



Registered
  14/02/2002
Points
  6499

VIP MemberI'm on a BoatI am an April FoolHonored Admin Alumnus
28th November, 2009 at 18:21:38 -

Wait, we're not allowed to view passwords?

Heh, I remember back on the old TDC codebase where some guy used to read out passwords. That's why I use a special password or very generic password for every indie site

 
Disclaimer: Any sarcasm in my posts will not be mentioned as that would ruin the purpose. It is assumed that the reader is intelligent enough to tell the difference between what is sarcasm and what is not.

Image

~Matt Esch~

Stone Goose

Registered
  30/12/2006
Points
  870

VIP Member
3rd December, 2009 at 08:59:49 -

For some reason I couldn't log in so I thought I would reset my password.... Then I got emailed my actual password (which, as it happens, I was trying to log in with, I just couldn't log in that particular day :/ ). Passwords are and should be treated as personal and sensitive information, and they should always be hashed with a salt when stored in a database. It's just common practice and makes sense.

 
http://create-games.com/project.asp?id=1875 Image


Cecilectomy

noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
3rd December, 2009 at 11:11:52 -


Originally Posted by Clubsoft
Passwords are not viewable by site staff, they're emailed to users if they request a forgotten password - but if someone is already in your email account, you have bigger problems anyway.

It can be changed to a password reset system if people are really that worried



not viewable by site staff withstanding, having passwords in plaintext is highly insecure. it only takes one breach of the database by a hacker to get everyones passwords and information.

also, if you have access to using https instead of http you should be taking advantage of that for logging in (as you are now on a very expensive and what i assume is a dedicated server for tdc you should have this available).

anything short of using what matt esch just mentioned (hashed with a salt), and if it is available the use of https, is just plain stupid.

 
n/a

Ski

TDC is my stress ball

Registered
  13/03/2005
Points
  10130

GOTW WINNER CUP 1!GOTW WINNER CUP 2!GOTW WINNER CUP 3!KlikCast HelperVIP MemberWii OwnerStrawberryPicture Me This Round 28 Winner!PS3 OwnerI am an April Fool
Candy Cane
3rd December, 2009 at 15:11:29 -

Nvm problem solved


Edited by Ski

 
n/a

~Matt Esch~

Stone Goose

Registered
  30/12/2006
Points
  870

VIP Member
4th December, 2009 at 19:29:11 -

Somebody hacking our email accounts is something we can't really account for unless we decide to not allow password resetting at all. Changing the password recovery to a password reset merely hides the issue that passwords can be retrieved by somebody observing the database. Changing the way users are authenticated should be pretty simple without any disruption at all.

 
http://create-games.com/project.asp?id=1875 Image


Cecilectomy

noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
5th December, 2009 at 03:06:27 -

hypertext transfer protocol secure

hacking the database can be accounted for. even if anyone had access to view entries, they would not be able to decrypt a salted hash without brute force/rainbow tables/etc., which is futile without some sort of super computer.

a hacker wouldnt even bother with encrypted passwords in a database, unless they just wanted to lock everyone out by messing with entries. they would just sniff packets being sent to the server for passwords and login names being sent. https should solve that.

 
n/a

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49667

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
5th December, 2009 at 04:23:50 -

I didn't bother with any of that, I just redirected the domain name to my phishing website when I stole all your passwords.

So that wouldn't work. Sorry.

 
n/a
   

Post Reply



 



Advertisement

Worth A Click