Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.

  • tb_@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    12
    ·
    edit-2
    1 year ago

    But that still means they had your plaintext password at some point.

    Edit: which, as some replies suggest, may not actually be much of an issue.
    I’m still skeptical about them returning it, however.

    • voxel
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      edit-2
      1 year ago

      hashing on client side is considered a bad idea and almost never done.
      you actually send your password “in plain text” every time you sign up.

      • wim@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        5
        ·
        1 year ago

        It’s not a bad idea and it is often done, just not in a browser/webapp context.

          • wim@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            Sorry, I should have included an example in my comment to clarify, but I was in a rush.

            HMAC is a widely used technique relies on hashing of a shared secret for verifying authenticity and integrity of a message, for example.

    • Kilamaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      9
      ·
      1 year ago

      Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.

      That’s fine and normal

        • Vegasimov@reddthat.com
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          8
          ·
          1 year ago

          When you create an account you type your password in. This gets sent to the server, and then it is hashed and stored

          So there is a period of time where they have your unhashed password

          This is true of every website you have ever made a password on

            • Vegasimov@reddthat.com
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              1 year ago

              I’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process

          • dangblingus@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            9
            ·
            1 year ago

            So why would an agent at Larian have man-in-the-middle access between the password being sent to the server, and the auto-hash?

    • Hexarei@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      1 year ago

      Um. Yeah, because you provided it to them. They have to have it in plain text in order to hash it.