Skip Navigation

exal
exal @ exal @lemmy.ca
Posts
0
Comments
3
Joined
2 yr. ago

OP finds vulnerability where a forum sends you your password in plaintext over email and everyone misses the forest for the trees

Jump

  • (one-time)

    You make it sound like an irrelevant detail, but that's kind of the key part. If implemented properly, it's only valid once and for a short period of time, which greatly reduces risk.

    • Larion Studios forum stores your passwords in unhashed plaintext.

    Jump

  • Especially if they have a maximum password length.

    Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.

    • Larion Studios forum stores your passwords in unhashed plaintext.

    Jump

  • Kind of.

    The official web UI doesn't let you enter more than 60 characters, but doesn't indicate that at all. So you can keep typing past 60 characters but it won't get added to the input field and you can't really see that. If you paste a password into the field, it gets trimmed to 60 characters.

    When creating a password, the server checks that it isn't longer than 60 characters and returns an error if so. On login, however, it silently trims the password to 72 bytes, because that's what the hashing algorithm they use supports.