For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.

But

In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.

[–] nickwitha_k@lemmy.sdf.org 65 points 1 year ago (1 children)

That's very unlikely. It's running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it's providing you with a default at sign-up, that's different and is what appears to be a configurable setting.

If it is completely generated for you, here's what probably happening:

User creation module runs a password generator and stores this and the username in memory as string variables.
User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
Either the storage module or another middleware module hashes the password while preparing to store.
Storage module reports success to user creation.
User creation module prints the vars to the welcome template and unloads them from memory.

TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.

[–] Cabrio@lemmy.world 8 points 1 year ago (1 children)

It sends the user generated password, not an auto generated one.

[–] hex@programming.dev 31 points 1 year ago (37 children)

Yeah if they send the password in an email in plain text that's not storing it. You can send the email before you store the password while it's still in memory and then hash it and store it.

load more comments (37 replies)

[–] vox@sopuli.xyz 51 points 1 year ago* (last edited 1 year ago) (6 children)

no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.

[–] Mirodir@discuss.tchncs.de 24 points 1 year ago (5 children)

...and if they keep the emails they send out archived (which would be reasonable), they also have it stored in plaintext there.

load more comments (5 replies)

[–] TheEighthDoctor@lemmy.world 14 points 1 year ago (2 children)

So it's in plaintext in their email system

load more comments (2 replies)

[–] dangblingus@lemmy.world 13 points 1 year ago (3 children)

I've literally never had a service provider email me my own password ever. Maybe a OTP, but never my actual password. And especially not in plaintext.

What would be the necessity behind emailing someone their own password? Doesn't that defeat the purpose of having a password? Email isn't secure.

[–] wim@lemmy.sdf.org 12 points 1 year ago (1 children)

I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.

A lot of cottage industry web apps also did the same.

load more comments (1 replies)

[–] benjacoblee@lemmy.world 4 points 1 year ago

Idk if I'm misremembering, but it's my impression that they did this a lot in the 2000s, haha. I guess bad practices have a habit of sticking around

load more comments (1 replies)

[–] darkkite@lemmy.ml 11 points 1 year ago (1 children)

this is still a terrible idea. the system should never know the plaintext password.

logs capture a lot even automated emails. i don't see a single reason to send the user their plaintext password and many reasons why they shouldn't

load more comments (1 replies)

[–] JackbyDev@programming.dev 11 points 1 year ago (1 children)

"Kinda a bad idea?" This is fucking insane.

load more comments (1 replies)

[–] tb_@lemmy.world 10 points 1 year ago* (last edited 1 year ago) (8 children)

But that still means they had your plaintext password at some point.

Edit: which, as some replies suggest, may not actually be much of an issue.
I'm still skeptical about them returning it, however.

[–] vox@sopuli.xyz 15 points 1 year ago* (last edited 1 year ago) (5 children)

hashing on client side is considered a bad idea and almost never done.
you actually send your password "in plain text" every time you sign up.

load more comments (5 replies)

load more comments (7 replies)

[–] inclementimmigrant@lemmy.world 36 points 1 year ago* (last edited 1 year ago) (8 children)

While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn't mean they store your password in their database as plaintext.

[–] JackbyDev@programming.dev 31 points 1 year ago (3 children)

Encrypted passwords are still an unacceptable way to store passwords. They should be hashed.

[–] Cloodge@lemmy.world 15 points 1 year ago (1 children)

(and salted before hashing.)

[–] Dicska@lemmy.world 11 points 1 year ago (1 children)

And marinated in butter milk.

load more comments (1 replies)

[–] Michal@programming.dev 8 points 1 year ago (1 children)

Just because they send out the password does not mean it's not hashed. They could send the email before hashing.

[–] JackbyDev@programming.dev 5 points 1 year ago

You're correct and after reading more of the thread I saw OP say this was sent immediately after registering. I don't have reason to believe it is stirred in plaintext unless they're storing s copy of every email they send.

load more comments (1 replies)

[–] jeeva@lemmy.world 14 points 1 year ago (4 children)

Would you accept "in a way that can be reversed"?

load more comments (4 replies)

load more comments (6 replies)

[–] lowleveldata@programming.dev 24 points 1 year ago (2 children)

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

[–] TigrisMorte@kbin.social 19 points 1 year ago (6 children)

https://bitwarden.com/

load more comments (6 replies)

load more comments (1 replies)

[–] 1984@lemmy.today 16 points 1 year ago* (last edited 1 year ago) (29 children)

It's 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.

[–] Honytawk@lemmy.zip 10 points 1 year ago (2 children)

There are people who purposely forget their passwords, so they use the "forgot my password" link every time they need to login.

Hard to hack them.

[–] 1984@lemmy.today 8 points 1 year ago

Yeah some sites also dont have passwords, they just send a login link to your email every time.

I prefer passwords so I don't have to go to my email to log in, but I understand it's easier for some people to do it that way. Your email address becomes your identity then.

[–] hex@programming.dev 5 points 1 year ago

That's just 2FA with extra steps

load more comments (28 replies)

[–] jonne@infosec.pub 14 points 1 year ago* (last edited 1 year ago)

Sending your password right after you created it might not be best practice, but it doesn't mean it's stored unhashed in the database. It looks like they're using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.

Looks like they address it here: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

load more comments