Forums software issue: password vulnerability

Welcome to the GGC Autocross Program Forums GGC Autocross Forums Autocross Discussion Forums software issue: password vulnerability

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #7818
    Anonymous
    Inactive

    I just signed up for the Autocross forums. Last time I used the forums was back when they were hosted by justracing.com, a while ago I guess.

    In any case, after signing up I had the big surprise to receive an email with my user name and password in clear text. This means the password is stored in clear text in the database, which is a big problem if any of you reuse the password across different web services (e.g. Gmail, Facebook, etc). If this is your case, I’d advise immediately changing the password on all these services.

    If it is possible, it’d be great if the forums software developers could encrypt the passwords before storing them in the database using a slow hash function.

    https://crackstation.net/hashing-security.htm

    #7833
    Jeff Roberts
    Keymaster

    This means the password is stored in clear text in the database

    This is not true.

    We are looking into the issue of e-mailing you your password in plain text, but I can tell you, the passwords are not stored in plain text. I have access to the database and I cannot see anything.

    It’s good practice to not reuse passwords anyway, those who do are at risk no matter where they’re creating them.

    I recommend 1password. I can’t live without it!

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.