This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.

  • mosiacmango@lemm.ee
    link
    fedilink
    arrow-up
    64
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Larian stated on their forum they fixed this behavior and shifted to https 3 years ago. When this was linked several times in thread, people asked OP when this screenshot occured, and OP ignored the questions. Pretty clear that this is a very old screenshot of what is now a non issue.

    What’s to discuss besides OP trying to stir up drama about issues that were resolved years ago?

    • ono@lemmy.ca
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      edit-2
      1 year ago

      FWIW, it’s not fixed. The screen shot may very well be recent.

      (The post in question was still bad reporting, though, for the reasons I detailed in my other comment here.)

      • El Barto@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        1 year ago

        Are you saying that the parent poster is giving incorrect information?

        Edit: Oy, straight from their membership administration docs (emphasis mine):

        Additionally, using the buttons below, you can delete the user, email the user’s password to him/her, (etc)

        • ono@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 year ago

          Are you saying that the parent poster is giving incorrect information?

          Yes. mosiacmango’s comment repeated what others had already said (right down to specific words that I used in the original thread and here), and then jumped to this conclusion:

          Pretty clear that this is a very old screenshot of what is now a non issue.

          Everything about that statement is false. While the circumstances made it seem likely that the screenshot was old, it was not clearly so, and in fact, it turns out the issue is still present. I checked it. A registration email from the test I ran yesterday looked just like the screenshot in question, cleartext password and all.

          Given that Larian reported the issue fixed three years ago, it’s possible that they fixed it locally and some time later upgraded to a new version of the forum software, thereby overwriting the local fix. Perhaps mosiacmango should have considered that before posting incorrect speculation as if it were fact.

        • ____@infosec.pub
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          Ouch… This should never be possible, in any world. If the password can be emailed, it can be seen. If it can be seen, it can be stolen.

    • abbadon420@lemm.ee
      link
      fedilink
      arrow-up
      0
      arrow-down
      7
      ·
      1 year ago

      It’s still an interesting case to discuss and learn about. We don’t ignore and forget about ww2, just because it’s over, do we?!

  • ono@lemmy.ca
    link
    fedilink
    English
    arrow-up
    29
    ·
    1 year ago

    I think the OP of that post would have had a better reception if they had:

    • Responsibly disclosed what they found, rather than using it to stir up drama on social media.
    • Mentioned that it’s just a web forum account, not connected to game accounts or anything else of value.
    • Targeted the software vendor (https://www.ubbcentral.com/) instead of picking on one particular customer who used that software.
    • Refrained from spreading misconceptions and unfounded assumptions about how the technology works.
    • Responded to the reasonable follow-up questions, such as those that came when readers discovered that the problem was reported fixed three years ago.

    People in that thread responded with skepticism and criticism to an irresponsible, misdirected, misleading, alarmist mess of a post. That’s hardly surprising.

  • oleorun@real.lemmy.fan
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    Just wow, yeah. Nothing should ever send you a password in cleartext - once that’s been done, a MITM attack’s success rate just went to 100%.

    It’s painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.

    hunter2

    • hascat@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.

      • exal@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        (one-time)

        You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.

    • Illecors@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      MITM attack’s success rate just went to 100%

      No, it didn’t. It’s stupid and shouldn’t be done, but all ham nowadays is encrypted.

      I know that because I’ve been running my email server for some years now, technically breaking one of the RFCs for not allowing unencrypted connections. Zero email has been missed.

  • BlueBockser@programming.dev
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Everyone seems more interested in nitpicking

    Actually, not everyone in that thread is nitpicking. There’s one comment that’s just a helpful hint.

    But yes, nitpicking is fun. I’ll see myself out.

  • ck_@discuss.tchncs.de
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    A sad truth and sadly not uncommon. Some people seem to get a kick out of showing of how much “smarter” they are than the next person, side tracking the whole conversation in the process. I really don’t get why someone would think that’s called for.

  • lowleveldata@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    OP of that thread was talking about how (they think) the password was stored in plain text instead of this “tree” you’re talking about. The discussion on that was not a nitpick.

    • TrudeauCastroson [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      The forest is bad practice with passwords, since you get an email of your password after setting it.

      The tree is OP not knowing how to describe why it’s bad and saying the wrong reason why.

      • lowleveldata@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        I mean, there were a lot of forests in that thread. Like how it was an old screenshot and they don’t do those emails anymore. Or you shouldn’t re-use passwords anyways. I don’t blame people for missing 1 or 2 forests.

  • hotdaniel@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Uh, I seem to recall this happening when I made a Larian account. What happens is you give them your email, they make your account, and email you a temporary password. The temp password is shown in plaintext, as the email shows. Once I saw the email, I logged in to finalize my account and change my password to something secure. It’s not the most modern process, but I wasn’t really that concerned either.

      • hotdaniel@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        This was just recently since BG3 came out. Since I first saw this drama I was pretty sure OP was misrepresenting the situation.

  • chameleon@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    The number of people accepting email for some magic thing without in-between mechanisms is ridiculous. If it’s sent in an email you should 100% consider it to be stored in plaintext in multiple places. There is incredible amount of machinery between your mail() call and the end user reading that email, on both the sending and receiving end. For example, my spam filter (rspamd) will likely store a copy of it for a while, and that’s not unique to it.

    What’s in the database is not really relevant. Only the worst instance of storage counts.

  • glad_cat@lemmy.sdf.org
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Definitely. You don’t send passwords, ever, even if it’s encrypted by a quantic email server from the future.

    • frezik@midwest.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Then you realize that some of the game-related 2fa apps out there are more secure than a lot of online banking credentials.