Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Plain-text passwords in password reset (Read 5708 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Plain-text passwords in password reset

I’m not sure whether this is the right place to post, but it didn’t seem to fit anywhere else.  I just reset my password and discovered that HA mails you your new password, i.e. the password is stored in plaintext (or encrypted rather than hashed), which is a security problem.  In short:
Quote
We are not perfect, and as a result, the software we make is not perfect. It can - and probably will - be hacked at one point or another. Users use the same password for most of the services they use (let’s be honest, you do this too), so when your product gets hacked, you will be exposing your users to having most of their online accounts stolen.

Plain-text passwords in password reset

Reply #1
Let's be very clear here, because I misread this the first few times.  There is a security hole because HA emails a new randomized password.  The security holes are as follows:
  • HA does not force you to change from the emailed password, i.e. the temporary password could be used for indefinitely.
  • Even if it does, a hole is opened for a brief moment when a "temporary" password is emailed.


First, understand that this is a public discussion forum with no major personal data verified or stored.  Consequently HA's obligation to you is pretty low.

Second, there is a much bigger security hole in that your password is sent to HA's servers an unsecured connection.  This is because SSL certificates are expensive, and the data stored here is not very valuable.  In fact, the most valuable thing stored on their servers may very well be your password.  It's on you to make sure that the password you use here is not valuable.

Plain-text passwords in password reset

Reply #2
Leaving aside the fact that people tend to entrust more of their private data than you’d expect to sites like this, yes, password reuse is a user error, but password storage is the responsibility of the site.  HA is storing the passwords, so why would it leave itself open to losing all of them so easily?
Quote
Second, there is a much bigger security hole in that your password is sent to HA's servers an unsecured connection.  This is because SSL certificates are expensive, and the data stored here is not very valuable.

Yes, all true—which is why I’m planning to suggest Let’s Encrypt once it opens.

These security holes exist.  My post was intended to bring them to the admins’ attention, not to say, ‘FIX THIS, PEONS’.

Plain-text passwords in password reset

Reply #3
SSL certificates aren't very expensive. I used to work for a web hosting company that offered a basic certificate for $50 annually, and you can probably find them cheaper than that. I don't know anything about HA's budget, but they're probably already spending several times that in hosting.

Plain-text passwords in password reset

Reply #4
I just came in to comment since I started using hydrogenaudio again for the first time in a few years. I was astounded to find that the site doesn't use https at all – not even in the user preferences or password reset (or when signing in, of course).

This is a disservice to all users and fixing it is a worthy cause.

Plain-text passwords in password reset

Reply #6
Quote from: Grilinctus on
I just reset my password and discovered that HA mails you your new password, i.e. the password is stored in plaintext (or encrypted rather than hashed), which is a security problem.


This is a complete and total misunderstanding on your part. When you reset your password, you get a new, temporary one in plaintext BECAUSE IT WAS JUST GENERATED, not because it was stored unencrypted and recovered from there.

Consequently:

Quote
HA is storing the passwords, so why would it leave itself open to losing all of them so easily?


This is not possible, because as pointed out above the unencrypted passwords aren't stored.

I haven't studied in-depth how well IPB salts+hashes them, though, so I'd advise proper caution anyway.

Plain-text passwords in password reset

Reply #7
Quote from: PostOfficeBuddy on
This is a disservice to all users and fixing it is a worthy cause.


Yeah well SSL certificates still cost money and I didn't notice any offer to buy the certs in your post? Feel free to take your entitlement elsewhere.

Kudos to spoon for putting that money on the table. HA is on HTTPS now.

Plain-text passwords in password reset

Reply #8
Quote from: Garf on
Quote from: Grilinctus on
I just reset my password and discovered that HA mails you your new password, i.e. the password is stored in plaintext (or encrypted rather than hashed), which is a security problem.

This is a complete and total misunderstanding on your part. When you reset your password, you get a new, temporary one in plaintext BECAUSE IT WAS JUST GENERATED, not because it was stored unencrypted and recovered from there.

I believe his concern was at least partially from emailing the new password to the user in plaintext (point #8 in the website he linked), which is susceptible to a man-in-the-middle attack, rather than using a link allowing the user to specify a new password directly (point #9).

Of course, that's a bit extreme for a discussion forum. I doubt any user here has any information in their account that would compromise them elsewhere.

Plain-text passwords in password reset

Reply #9
Quote from: Zarggg on
I believe his concern was at least partially from emailing the new password to the user in plaintext (point #8 in the website he linked), which is susceptible to a man-in-the-middle attack, rather than using a link allowing the user to specify a new password directly (point #9).


That's why it is a temporary password, not the password the user chose (this difference is extremely important - a compromise can never accidentally leak credentials to other sites). There is no practical difference to sending a temporary link because the link is also sent to the email on file. If your email is compromised I can intercept the link just as well. A major bitcoin exchange got hacked this way.

It looks like IPB doesn't expire it (bad), but the exact same problem would exist if you sent a link that doesn't expire.

Plain-text passwords in password reset

Reply #10
Thanks for ponying up for the certificate Spoon. BTW, your spoon avatar image causes the site to be marked as insecure on threads you post in because it's an image hosted on a non-TLS site.

Plain-text passwords in password reset

Reply #11
Quote from: yourlord on
Thanks for ponying up for the certificate Spoon. BTW, your spoon avatar image causes the site to be marked as insecure on threads you post in because it's an image hosted on a non-TLS site.


You'll see this in every thread where user content (typically img links) is posted too, because people tend to use http links. There's no way to fix this without forbidding it AFAIK, which I doubt HA wants to do.

IMHO Chrome's warning for this (striking through the https) is a bit obnoxious especially as they expressly allow passive content like images through in the first place (which is why you can see spoon's avatar). Firefox's warning sign+"attackers may alter the look of the site" message is a bit more on point.