F95 Password protection

G

Gregorif

Newbie
Mar 19, 2018
25
20
So I recently had my account blocked until I changed my password for a more secure one, and sure, I did

But as I was doing it, I saw the "show password" button, which once pressed indeed showed the password I had set previously, and ...

WHAT THE HELL ????!!!!

Password for F95 are NOT encrypted in the database ?
Anyone with database access has the password of EVERYONE on the website ?

Password encryption on account creation has been a web standard for over 20 years, it is unthinkable that a community of 8,679,949 accounts (at the time of this message) would not implement such a basic security feature

Please patch this as soon as possible, because making people change their passwords is pointless if EVERY password can be accessed at once by phishing one admin
 
osanaiko

osanaiko

Engaged Member
Modder
Jul 4, 2017
2,898
5,553
Please tell us that you are trolling, or apologize for you poor understanding of web technology.

The "old password" field only contains the data you input on the client side. The show password switch uses JavaScript to change the input field type to reveal the content you have put into the field. Nothing comes from the server.
 
  • Like
Reactions: morphnet, anne O'nymous, c3p0 and 2 others
Count Morado

Count Morado

Fragrant Asshole
Donor
Respected User
Jan 21, 2022
9,907
19,316
Gregorif said:
So I recently had my account blocked until I changed my password for a more secure one, and sure, I did

But as I was doing it, I saw the "show password" button, which once pressed indeed showed the password I had set previously, and ...

WHAT THE HELL ????!!!!

Password for F95 are NOT encrypted in the database ?
Anyone with database access has the password of EVERYONE on the website ?

Password encryption on account creation has been a web standard for over 20 years, it is unthinkable that a community of 8,679,949 accounts (at the time of this message) would not implement such a basic security feature

Please patch this as soon as possible, because making people change their passwords is pointless if EVERY password can be accessed at once by phishing one admin
Click to expand...
Dude. You had your old password saved in your web browser. That's what you saw when you clicked "show password."
 
  • Like
Reactions: morphnet, F4C430 and anne O'nymous
anne O'nymous

anne O'nymous

I'm not grumpy, I'm just coded that way.
Modder
Donor
Respected User
Jun 10, 2017
11,734
18,108
Ryahn said:
Yes yes, we store everything in plain text. Including your social security or equivalent. /s
Click to expand...
Oh thanks god... I forgot mine and can't find it back in the mess that is my home. Please, what option should I select for my ticket, in order to ask you to tell me what it is?
 
c3p0

c3p0

Conversation Conqueror
Respected User
Nov 20, 2017
6,443
15,179
anne O'nymous said:
Oh thanks god... I forgot mine and can't find it back in the mess that is my home. Please, what option should I select for my ticket, in order to ask you to tell me what it is?
Click to expand...
You're an absolute beginner. You should have asked for Sam or Ryahn's password.:FacePalm:
I mean it is logical, if you forgoten your own, you can't log in as your own...
 
anne O'nymous

anne O'nymous

I'm not grumpy, I'm just coded that way.
Modder
Donor
Respected User
Jun 10, 2017
11,734
18,108
c3p0 said:
You're an absolute beginner. You should have asked for Sam or Ryahn's password.:FacePalm:
I mean it is logical, if you forgoten your own, you can't log in as your own...
Click to expand...
No, my password I remember it. It's something fundamental, one can't have a normal life without it. What I forgot is my social security number...
 
MissCougar

MissCougar

Member
Feb 20, 2025
143
235
Most modern systems don't store any raw passwords. It's some sort of salted hash that is saved to a DB or auth mechanism. When you log in it hashes your entry against the previous hash and if they match the password is valid.
 
You must log in or register to reply here.
Top Bottom