The online racing simulator
passwordfail.com
(15 posts, started )
#1 - hda
passwordfail.com
So the purpose of this website is to list websites that store passwords in clear text, thus being insecure.

So a friend of mine mentioned this website on twitter and I got a bit surprised when I saw LFS.net listed. I find that a bit odd so this is meant to be a heads-up for Victor, to either fix the issue (I doubt there's one) or to sort things out with the author of the website.

http://www.passwordfail.com/websites.aspx
How can he know LFS.net stores passwords in clear text?
The actual "problem" is that LFS.net "Sends Password In Clear Text Upon Request". By filling in your e-mail address here:
http://www.lfs.net/?page=loginretreive

I guess a more secure way would be to send a new password instead.
Quote from traxxion :I guess a more secure way would be to send a new password instead.

or email a URL to the user with a URL to a password change form.

but i don't really see how this is such a big deal, unless someone hacked said user's inbox as well, but if that's the case, well, they have bigger issues to deal with.
Personally, I protect all passwords as much as I can. But when I do forget one I don't want to go through a bunch of BS to remember it; I don't see how it is more secure to change the password on a user;

If said 'hacker' knows a persons e-mail, it doesn't matter if the password is sent directly to the e-mail or if a changed password is sent to e-mail or if the change password url is sent. The hacker will still be able to access your account, and hell if they know your e-mail info they could delete the proof and leave no trace; for you to be locked out of said game/website etc.

The only benefit to changing password before sending, and or using the url is that said 'hacker' doesn't know the exact password use and will be less likely to guess your passwords on other websites/applications; however if they got into you're e-mail so they could use that known password for guessing other passwords. As well as once your e-mail is hacked you likely have larger problems.
i just wanted to tack on a sidenote to this thread... it seems that lfs.net and lfsforum.net appear on bugmenot.
Not too surprising really about the 'BugMeNot' I mean, sure I don't receive random e-mails from LFS; but that doesn't mean that I wouldn't have created a temp e-mail addy to register. It does (at times; LFS is not one of those times) bug me when you need an e-mail addy to register to something _useless_. I fully understand an e-mail used for certain registrations, but I think it should be optional on others; though of course that where the issue of bots come in worse than they are now... idk :/ lose-lose situation I guess.
Quote from traxxion :The actual "problem" is that LFS.net "Sends Password In Clear Text Upon Request". By filling in your e-mail address here:
http://www.lfs.net/?page=loginretreive

I guess a more secure way would be to send a new password instead.

Never really thought about it, but that's actually surprising, as it means LFS really does store passwords in clear text, or at least in a form that allows decryption (tbh, I think the latter).

The problem is twofold; First, if your mail account is compromised the hacker can gain access to the account without you noticing that something is amiss (he just deletes the password retrieval mail and you'll never know). On a password reset / reassign your account might be compromised or stolen, but at least you know that happened because you can't login anymore, which should make any sensible person change all his passwords immediately to limit damage. Second, by knowing the cleartext password you can potentially hack into other accounts of the victim that might be linked to a different inaccessible mail account (or where a "password forgotten" would reset the password), because many people use the same or similar passwords for various sites.

Other than that, storing the passwords in cleartext could cause all of the above to happen if the LFS database is breached somehow, so not only the LFS accounts would be affected, but potentially much more important / painful-to-deal-with places too. Though as I said above, I really don't think LFS does that but uses a decryptable format instead. Would be kinda ironic if the creators of such otherwise good software committed such a security faux pas.


However, what I don't understand is why the passwords are even decryptable. They should just use a good hashing algorithm and compare the password input to the hash instead, because even the LFS devs should have no business in actually knowing my password. The only "benefit" from decrypting the passwords is so that you can send it in the password retrieval mail, but as we know that's not a tangible benefit for anyone at all.
#9 - hda
Quote from AndroidXP :
However, what I don't understand is why the passwords are even decryptable. They should just use a good hashing algorithm and compare the password input to the hash instead, because even the LFS devs should have no business in actually knowing my password. The only "benefit" from decrypting the passwords is so that you can send it in the password retrieval mail, but as we know that's not a tangible benefit for anyone at all.

I don't think passwords are decryptable, they are just stored in simple text. I didn't know about the login retreive page traxxion mentioned, that's a pitty and I think it should be changed. Passwords should be encrypted
yeah I'll agree it's not the best, storing passwords in readable form, albeit encrypted.
I guess I just needed a little push to make the change, which I've done now. The encrypted password data has been deleted from the database and I have changed the password retrieval method to a password reset one whereby you need to click a link in an email which opens a page where you can set a new password. So the password is now only stored in digest form and it is never sent to you anywhere.

edit - I've no idea how to notify them though
Thank you very much!

Seems like they can only be contacted via Twitter somehow.
#12 - hda
hm, I'll give the website's creator a heads up

and thanks Victor
#13 - hda
nice, thanks for dropping the message
Good to know that the dev's care about our security

passwordfail.com
(15 posts, started )
FGED GREDG RDFGDR GSFDG