@[email protected] to [email protected]English • 1 year agoLarion Studios forum stores your passwords in unhashed plaintext.lemmy.worldmessage-square197fedilinkarrow-up1470file-text
arrow-up1318imageLarion Studios forum stores your passwords in unhashed plaintext.lemmy.world@[email protected] to [email protected]English • 1 year agomessage-square197fedilinkfile-text
Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.
minus-squaretb_linkfedilinkEnglish9•edit-21 year agoBut that still means they had your plaintext password at some point. Edit: which, as some replies suggest, may not actually be much of an issue. I’m still skeptical about them returning it, however.
minus-squarevoxellinkfedilinkEnglish15•edit-21 year agohashing on client side is considered a bad idea and almost never done. you actually send your password “in plain text” every time you sign up.
minus-square@[email protected]linkfedilinkEnglish-4•1 year agoIt’s not a bad idea and it is often done, just not in a browser/webapp context.
minus-square@[email protected]linkfedilinkEnglish2•1 year agoCan you give an example where this is done?
minus-square@[email protected]linkfedilinkEnglish3•edit-21 year agoSorry, I should have included an example in my comment to clarify, but I was in a rush. HMAC is a widely used technique relies on hashing of a shared secret for verifying authenticity and integrity of a message, for example.
minus-square@[email protected]linkfedilinkEnglish3•1 year agoOf course. You receive the password in plain on account creation, do the process you need, and then store it hashed. That’s fine and normal
minus-square@[email protected]linkfedilinkEnglish5•1 year agoWhen you create an account you type your password in. This gets sent to the server, and then it is hashed and stored So there is a period of time where they have your unhashed password This is true of every website you have ever made a password on
minus-square@[email protected]linkfedilinkEnglish-1•1 year agoI’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process
minus-square@[email protected]linkfedilinkEnglish-7•1 year agoSo why would an agent at Larian have man-in-the-middle access between the password being sent to the server, and the auto-hash?
minus-square@[email protected]linkfedilinkEnglish2•1 year agoUm. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.
But that still means they had your plaintext password at some point.
Edit: which, as some replies suggest, may not actually be much of an issue.
I’m still skeptical about them returning it, however.
hashing on client side is considered a bad idea and almost never done.
you actually send your password “in plain text” every time you sign up.
Really everytime you log in too.
It’s not a bad idea and it is often done, just not in a browser/webapp context.
Can you give an example where this is done?
Sorry, I should have included an example in my comment to clarify, but I was in a rush.
HMAC is a widely used technique relies on hashing of a shared secret for verifying authenticity and integrity of a message, for example.
deleted by creator
Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.
That’s fine and normal
deleted by creator
When you create an account you type your password in. This gets sent to the server, and then it is hashed and stored
So there is a period of time where they have your unhashed password
This is true of every website you have ever made a password on
deleted by creator
I’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process
So why would an agent at Larian have man-in-the-middle access between the password being sent to the server, and the auto-hash?
Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.