Feedback, Complaints or Problems

Greetings,

I have some concerns about the way you store our account passwords. Today was the first time that I had to use the "forgot password" and I was sent my password wich means passwords are stored in clear text on the server. I do understand that you should have different passwords for different services, and ofcourse I do, but the problem here is that it would be very easy for someone to use stolen accounts. All they would need is the password list from the server.

So with that said I wish you could encrypt and salt the passwords.

Have you thought about that the passwords when they get sent out, that they get decrypted before they are sent? Also there is no way they can get the password list. PWizard and Nevermore would be the only 2 able to access it.

Tell that to hacker groups like anonymous. When someone wants something bad enough they will find a way. On that note encryption can be broken. However as angel said they easily could have them decrypted when sent. (Which further proves anything can be undone.)

Note: I am in no way saying people have or will hack this site. I am merely stating that anything possible to be prepared. Change your passwords often. Etc etc.

[Edited by Varacka, 4/30/2013 12:15:20 PM]

I have often thought about making our passwords more secure by utilizing things like 4-layer encryption, quadruple reverse salting, etc but then a few things come to mind.

First, this is a VIDEO GAMES website. Not Facebook. Not a bank. Not a doctor's office. We store very little information about each user that would be useful to anyone. We do not store physical addresses, phone numbers, social security numbers, financial information, etc. Not even your zip code. Most people don't even put in their real names when registering. So, the most anyone would get is alias, email address and password, which if you use the same one for every website you visit, then shame on you.

All of the financial and personal information used when purchasing a membership from our site is handled by PayPal, Authorize.net and other third party merchant account vendors. We never see that information and do not store that information.

Now, having said that, the security of the personal information we do store is very important to us. Our web server is protected by multiple web application firewalls and a hardware firewall. We have measures in place to document all user activity such as trainer downloads, password changes, logins from multiple IPs etc, and we monitor this information daily for any suspicious activity and take the appropriate actions.

There have been many occasions where we've had to recover someone's account password for them, otherwise they would have lost their UNL account and had to create a new one.

As others have said, you can have the strongest encryption in the world on the passwords, but it won't matter if hackers gain access to the server where the encryption is taking place.

We will continue to investigate whether or not more secured passwords will really help or end up hindering more users than it does good. We appreciate everyone's feedback and concern and know that we don't take things like this lightly.

You cant do that, the server would have to bruteforce the encryption first and then send your password to you in clear text, or they would have to have a rainbow table that covers everyones password. Anyone who tried bruteforcing a 16+ character password knows it wont happen with current hardware.

Thanks PWizard for the reply, I do hope that you guys end up encrypting them, or atleast inform people about it when they create their account. Some people use very long passwords, but they might be using the same first 14 characters and then add the websites name, or something else related to the website after. It's pretty secure as long as noone knows the initial characters.
But as long as you do restore passwords or accounts incase of someone loosing their unlimited account it's fine with me.

[Edited by Skuggan, 4/30/2013 2:11:28 PM]

[Edited by Skuggan, 4/30/2013 2:11:57 PM]

Well, maybe I'm stupid because I studied that kind of stuff - Also I'm working as some kind of IT-Technician (hard to translate the real title)....

But storing a password in PLAIN text is always bad, no matter what you want to do with it or what you're selling.

Simply encrypting is also not optimal - Why would the server ever need the real password? Besides that, the server needs to know the key - So does the bad hacker

Sha-256 (few thousand iterations) + salt and you're done.

Password reset would work with a new created random password which must be changed after first login.

This way the passwords are safe.

SHA-256 is a Hash - Means one way encryption. The password is only stored as a hash on the server - No way to 'calculate' the real password from it. Throw some salt plus the thousands of iterations in it and you'll also blow all the rainbows

The thousands of iterations are for extra security. This way you get a hash from the hash from the hash from the.. You get the point. For the CH-Server this is a one-time task - Quick for just one password.
For the hacker who stole the DB and want's to crack the passwords with a Rainbow-Table (he needs a custom because we're already using a salt) it's n*iterations per string.
Noone would try to crack them..

BTW skuggan just because a password is sent via plain text in an email, doesn't mean it is not protected on the database.

Most databases have standard encryption anyway, no matter who hosts the site.

As for CH not sure, but I think there has to be some sort of encryption used to stop people from unknown sources gaining info, the only people who can get the passwords in pure form as the admin who log in via the sites administration controls.

As for high level encryption, there is a problem with that, the site has to understand how to decrypt/encrypt information to check if the password stored for an account is the same which means the key is stored on the site, which means a hacker with knowledge can take that key wherever it is stored and then use it to decrypt data.

Only way would be to add another server which contains decryption data which is not part of the site adding another layer of protection.

[Edited by DABhand, 5/1/2013 6:47:56 AM]

Well it cant send me the password in plain text if it is encrypted, simply because the server doesnt know what my password is, it only knows the value of the encryption. With a key and the password I write to login it then check that the encrypted value in the password-list matches the encryption value generated from the password I wrote.

If it had a key to decrypt the passwords in the list and then send them in plain text to users all kinds of encryption would be kinda waste of time as you would provide the decryptionkey to any hacker who can reach the file.

A simple encryption and salt is all that is needed, and users that use long passwords. Anything above 16 characters long is safe enough, no one will spend time trying to bruteforce those passwords when they got a whole list of encrypted passwords and where some of them probably are pretty short, 10 characters or less.

[Edited by Skuggan, 5/1/2013 9:12:13 AM]