ashlayne
 member, 1674 posts
 May you have exactly the
 God/dess you deserve. =p
Mon 17 Oct 2016
at 02:58
Cleartext passwords?
...Wow. When I reset my password through my browser so I could log into the site on my phone and tablet, the site sent me a cleartext copy of my new password. I'm glad I use Gmail with 2fa.

jase, can this be changed? I'm uncomfortable with my new password being emailed in a cleartext format. Are they stored on the server that way too?
LoreGuard
 member, 625 posts
Fri 21 Oct 2016
at 02:58
Cleartext passwords?
Have you considered each time you logged in it was being passed clear text?  I had suggested even using a self signed cert if they didn't want to pay for a commercial cert.  (or investigating OpenCA)
Evil Empryss
 member, 1507 posts
 Try tasting your words
 before spitting them out
Fri 21 Oct 2016
at 03:32
Cleartext passwords?
Not to put to fine a point on it, but so what?  It's RPOL, not your bank.  So long as you aren't using a password here as the password on another site, what's the worst that will happen?  Someone gets your password and deletes some posts or posts garbage in your games?  You just change the password (or contact the Mods if the hacker changed it on you) and apologize to your GMs for anything the hacker may have posted that messed with the games.
ashlayne
 member, 1675 posts
 May you have exactly the
 God/dess you deserve. =p
Fri 21 Oct 2016
at 04:28
Cleartext passwords?
In reply to Evil Empryss (msg # 3):

The "so what" attitude is shared by a lot of people online, actually, and is why most things online are created without giving a thought to security. (Not saying jase hasn't considered it, but he's only one person. I know that struggle.) You may think it's not a big deal, Evil Empryss, but a lot of security experts would disagree with you, specifically because so many people reuse passwords on multiple sites.
Evil Empryss
 member, 1508 posts
 Try tasting your words
 before spitting them out
Fri 21 Oct 2016
at 05:01
Cleartext passwords?
My point is that one should put their stress and resources where they do the most good or prevent the most harm.  Changing the password delivery system would be like insisting that there be a safe-sex squad making sure people are using protection to prevent STDs: more work for no more good or less harm than the current system is already providing and the result is likely to be fruiting annoying to all involved.

If someone is dumb or lazy enough in this day and age -- with all the media attention that has come from recent hacks into social media accounts -- to reuse a password from a game site on another site that might have something more important to protect, then the problem is the user, not the site.  Responsibility ultimately has to fall on those not following safe practices, and there's only so much anyone can do outside of education to stop people from being stupid.  It would be a waste of both jase's stress and resources to mess with a system that is already doing what it needs to be doing for the threat level this site operates under.

Besides, there are a ton of other items I'd like to see jase put effort into rather than something I can take care of myself. ^_^
Merevel
 member, 1153 posts
 The Unlucky Gamer
Fri 21 Oct 2016
at 09:51
Cleartext passwords?
This reminds me of when people finally broke internet security a while back... So yeah, good luck with password security. I wonder how that event resolved.
fireflights
 member, 311 posts
 playing with Fire
 always burns
Fri 21 Oct 2016
at 11:55
Cleartext passwords?
Well, just so you know for many people it's not their being lazy. It's a memory issue. Some people have memory flaws that make remembering more than one password at a time, impossible. So calling people lazy for something you don't necessarily know about is not the way to go with this issue. Just my own input, because while I have multiple passwords, because of meds I am on, it's getting harder and harder for me to remember multiple things let alone passwords. So I could in the end, end up becoming one of those people who use the same password for all sites just to make sure I don't keep getting locked out of things.
Shannara
 moderator, 3679 posts
 Whatever you do,
 DON'T PANIC!
Fri 21 Oct 2016
at 12:11
Cleartext passwords?
I use LastPass, personally.

And when people want to give me grief about it, I ask them which is more secure -- it, or all my passwords written out on a piece of paper and posted prominently beside my computer?

Because when more and more websites require a password that:

must contain 2 numbers
must contain 3 special characters
must contain 2 capital letters
at least 10 characters
no sequential numbers
no more than 2 sequential letters
not be a variation of your user name
not be a variation of any password you've used before
must be changed every 90 days

Oh, please.  It's not like I don't have 50+ accounts with passwords.
ashlayne
 member, 1676 posts
 May you have exactly the
 God/dess you deserve. =p
Fri 21 Oct 2016
at 20:35
Cleartext passwords?
KeePass user, here. So I feel you, Shan. I have a blue million passwords for personal stuff, not counting all the passwords I keep up with for work because I am (basically) an IT admin. (I'm really the tech support specialist, but barring a couple of Finance apps and some backend reports that my boss does, he and I basically have the same job.)