Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.

  • @Cabrio@lemmy.worldOP
    link
    fedilink
    English
    -7
    edit-2
    1 year ago

    They can’t send it if they haven’t stored it, that’s the proof. Whether temporary or not it’s a weakness and attack vector for obtaining unhashed passwords. And if they stored it, it should be immediately hashed at which point they can’t send it.

    • Rikudou_Sage
      link
      fedilink
      English
      81 year ago

      That… is not how it works. It is usually hashed and at the same time an email is sent. Meaning it’s not stored plaintext in any storage.

    • @towerful@programming.dev
      link
      fedilink
      English
      4
      edit-2
      1 year ago

      They can still send it while the value is in memory.
      But it’s unlikely that emails are sent synchronously. At which point, it has to be added to a job queue somewhere which might not be in memory.
      There is also the communication with that job queue, and logging along the way, and any email logging.
      Email isn’t secure, either.

      So, it bad practice regardless.

      Thankfully larian did address this, and fixed the issue as pointed out by another commenter.
      Addressed here, with the follow up of fixing it:
      https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

      And that was back in 2020. 3 years ago.

    • voxel
      link
      fedilink
      English
      3
      edit-2
      1 year ago

      they can send it without storing. In fact a lot of websites (mostly small outdated forum systems) send your password to your email before storing it.