This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.

  • KairuByte@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    11
    arrow-down
    23
    ·
    1 year ago

    it does not mean the passwords were stored in plaintext

    This is debatable. Yes, there is a chance the email is being generated and sent on the fly, before the password is stored. But in situations like this there is a much larger chance it’s being stored in plain text.

      • MajorHavoc@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Reversible hashed password storage isn’t meaningfully better than clear text.

        • The key to reverse the hash is typically (necessarily) stored in the same infrastructure as the password. Bad actors with access to one have access to the combination.
        • Even if an attacker fails to exfiltrate the key to the reversible hash, it’s typically only a matter of days at the most before they can reverse engineer it, and produce plain text copies of every password they obtained the hash of.

        A reversible hash provides a paper thin layer of protection against accidental disclosure. A one way hash is widely considered the bare minimum for password storage.

        Anyone claiming a password has been protected, and then being able to produce the original password, is justly subject to ridicule in security communities.

        • NaN@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          The one they were sending at registration was prior to hashing. It would not be reversible afterwards.

          • MajorHavoc@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            That’s technically less terrible, then.

            Good for them. /s

            Edited to add the /s for clarity, because the NIST recommended remediation in 2023 for emailing a password is “burn everything down and pretend the organization never existed”. /s

            Again, adding that /s since that’s not actually what NIST says to do, and I am, at best, paraphrasing.

      • KairuByte@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        4
        arrow-down
        5
        ·
        1 year ago

        I wasn’t trying to claim what was happening here, simply that one (extremely) bad practice increases the chance of another.

    • Kevin@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      But in situations like this there is a much larger chance it’s being stored in plain text.

      I suppose, but OP said in the title that the passwords were being stored in plaintext, despite that not being the case.

      • MajorHavoc@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Using “we use a reversible hash” to claim “we don’t store passwords in plain text” is the “corn syrup is not sugar” of the cybersecurity world.

        It’s technically correct, while also a bald faced lie.

        • Kevin@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Not sure what you mean here, this is what the forum post said:

          After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.

    • JackbyDev@programming.devOP
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      4
      ·
      1 year ago

      Also if they store a copy of that email they’re effectively storing the password in plaintext even if they e properly made a salty hash brown for the database.

      • MajorHavoc@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Yep. And their own email system is probably also logging it somewhere. So are various servers along the way to it’s destination.