The Daily Click ::. Forums ::. Daily Click ::. Don't you crypt the passwords?
 
Post Reply  Post Oekaki 
 

Posted By Message

Jarzka


Registered
  26/12/2003
Points
  270

VIP Member
9th January, 2012 at 18:21:42 -

Hi

I found myself on this site after long time. I logged in after receiving my forgotten password via email. However I saw that the password was in clear text format. Don't you crypt the passwords in your database?

 
n/a

Hagar
Administrator
Old klik fart

Registered
  20/02/2002
Points
  1692

You've Been Circy'd!Teddy Bear
9th January, 2012 at 23:46:09 -

I have no idea, and I doubt admins will answer in fear of the sites security.

On a more general note I thought the best method was to not store passwords at all, only a hash, checksum or signature. That way even if a hacker does gain access they only have a signature and not the password.

Makes sense in my frazzled brain

 
n/a

Jon Lambert
Administrator
Vaporware Master

Registered
  19/12/2004
Points
  8235

VIP MemberWii OwnerTDC Chat Super UserI am an April FoolSSBB 3265-4741-0937ACCF 3051-1173-8012360 Owner
10th January, 2012 at 00:42:11 -

Originally Posted by ..::hagar::..
I have no idea, and I doubt admins will answer in fear of the sites security.

On a more general note I thought the best method was to not store passwords at all, only a hash, checksum or signature. That way even if a hacker does gain access they only have a signature and not the password.

Makes sense in my frazzled brain
I can't answer Jarzka's question as I don't actually do any backend work, but you would be right about storing a hash.

 
Sandwich Time!Whoo!

JoyCheck & KeyCheck Widgets
For easy implementation of customizable joystick and keyboard controls.
http://www.create-games.com/download.asp?id=8364

Cecilectomy
noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
10th January, 2012 at 02:37:17 -

a hash (message digest) is not decryptable, so i would assume they do not. The site is quite old, despite the recent minuscule face-lift it received, and therefore protection probably wasn't really a concern when they implemented it.

another explanation is that they are using a decryptable method of safely storing passwords, and therefore are able to return your password in plain-text via email.

either way, if anyone (not likely that anyone cares though) gains access to your tdc account, it's not the end of the world. there's nothing of value here. at most, just for trolling and lols.

 
n/a

Phredreeke
Don't listen to this idiot

Registered
  03/08/2002
Points
  4504

You've Been Circy'd!VIP MemberPS3 Owner
10th January, 2012 at 07:09:00 -

BUT, it would be bad in case you used your TDC password for another site.

Also, open up the Modify Profile page, view source and search for name="password" and SURPRISE!

Edited by Phredreeke

 
- Ok, you must admit that was the most creative cussing this site have ever seen -

Make some more box arts damnit!
http://create-games.com/forum_post.asp?id=285363

Hagar
Administrator
Old klik fart

Registered
  20/02/2002
Points
  1692

You've Been Circy'd!Teddy Bear
10th January, 2012 at 11:08:11 -

Originally Posted by The Cecilizer
a hash (message digest) is not decryptable, so i would assume they do not. The site is quite old, despite the recent minuscule face-lift it received, and therefore protection probably wasn't really a concern when they implemented it.

another explanation is that they are using a decryptable method of safely storing passwords, and therefore are able to return your password in plain-text via email.

either way, if anyone (not likely that anyone cares though) gains access to your tdc account, it's not the end of the world. there's nothing of value here. at most, just for trolling and lols.


I was thinking about the best way to do it, and not how TDC does it

 
n/a

nim


Registered
  17/05/2002
Points
  7233
10th January, 2012 at 14:20:12 -

Originally Posted by The Cecilizer
a hash (message digest) is not decryptable, so i would assume they do not. The site is quite old, despite the recent minuscule face-lift it received, and therefore protection probably wasn't really a concern when they implemented it.

another explanation is that they are using a decryptable method of safely storing passwords, and therefore are able to return your password in plain-text via email.

either way, if anyone (not likely that anyone cares though) gains access to your tdc account, it's not the end of the world. there's nothing of value here. at most, just for trolling and lols.


The site is old and outdated in a lot of ways but I think Mike is pretty clued up on making a site secure. Not that I know anything about how this site was made, but knowing a little about Clubby I'd be very surprised to discover that it's not secure. Consider how many times Rikus' account would have been hacked by now if it were easy!

That said, I don't even understand the original question. Your password is sent to you in plain text so that you can.. read it. That's got little to do with how it's stored in the database.

 
//

Phredreeke
Don't listen to this idiot

Registered
  03/08/2002
Points
  4504

You've Been Circy'd!VIP MemberPS3 Owner
10th January, 2012 at 16:29:44 -

Originally Posted by nim

That said, I don't even understand the original question. Your password is sent to you in plain text so that you can.. read it. That's got little to do with how it's stored in the database.


It shows that it's not hashed. Hashes are one-way functions so once you've hashed it there is nothing to send back to you. The only way to get the password would be to try and hash every possible password.

 
- Ok, you must admit that was the most creative cussing this site have ever seen -

Make some more box arts damnit!
http://create-games.com/forum_post.asp?id=285363

nim


Registered
  17/05/2002
Points
  7233
11th January, 2012 at 00:58:49 -

Then I guess not. Clubsofttt!!!

 
//

Cecilectomy
noPE

Registered
  19/03/2005
Points
  305

Has Donated, Thank You!VIP MemberWeekly Picture Me This Winner!Cardboard BoxGhostbuster!Pokemon Ball!ComputerBox RedSanta HatSnowman
I am an April Fool
11th January, 2012 at 08:15:08 -

Originally Posted by Phredreeke
BUT, it would be bad in case you used your TDC password for another site.

Also, open up the Modify Profile page, view source and search for name="password" and SURPRISE!


you should never use the same password for anything of importance.

All my passwords that go to anything of relative importance receive the maximum strength as provided by the password system. If a password has to be between 6 and 14 characters, my password is naturally the maximum 14. I also use every character provided to me. if i can use special characters than i do. if it is case sensitive than i use both cases. I also do not use any sort of patterns or sequences from experience. i wrote a script that creates me completely random passwords, using given parameters required or available for use in that specific password system.

Anything that has no important information such as this site, receive a variation of the same password i have been using for years.

 
n/a
   

Post Reply



 
Advertisement

Worth A Click