Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.

  • Kevin
    link
    fedilink
    English
    4
    edit-2
    1 year ago

    Maybe I’m misunderstanding you, but backend servers will almost always have the user-submitted password in plaintext as a variable, accessible to the backend server and any upstream proxies.

    It’s even how it’s done in Lemmy. The bcrypt verify accepts the plaintext password and the expected salted hash.

    • @[email protected]
      link
      fedilink
      English
      11 year ago

      There are ways to have passwords transmitted completely encrypted, but it involves hitting the backend for a challenge, then using that challenge to encrypt the password client side before sending. It still gets decrypted on the backend tho before hash and store.

      • Kevin
        link
        fedilink
        English
        21 year ago

        Yeah, but SSL/TLS also solves that problem in a standardized way.

        In either case, the backend will have the plaintext password regardless of how it’s transmitted.

        • Alien Nathan Edward
          link
          fedilink
          English
          21 year ago

          Not without compromised certificates they haven’t. You can tell because if they did they’d be world famous for having destroyed any and all internet security. Then again, they’d probably already be famous for having figured out a way to salt, hash and store passwords without ever holding them in memory first like they claim to do above, so maybe someone is lying on the internet about their vague “proprietary network protocols”.

        • @[email protected]OP
          link
          fedilink
          English
          -71 year ago

          I haven’t looked into it but I was wondering about the logistics of setting up a federated honeypot for server side stream sniffing to build a plaintext email/password database.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        Man, you sound like you’re just using random words you heard in class. Clearly you have no clue how user registration actually works, let alone backend development.