Larion Studios forum stores your passwords in unhashed plaintext. Don’t use a password there that you’ve used anywhere else.

  • tb_
    link
    fedilink
    English
    10
    edit-2
    1 year ago

    But that still means they had your plaintext password at some point.

    Edit: which, as some replies suggest, may not actually be much of an issue.
    I’m still skeptical about them returning it, however.

    • voxel
      link
      fedilink
      English
      15
      edit-2
      1 year ago

      hashing on client side is considered a bad idea and almost never done.
      you actually send your password “in plain text” every time you sign up.

      • @wim
        link
        English
        -41 year ago

        It’s not a bad idea and it is often done, just not in a browser/webapp context.

        • @wim
          link
          English
          21 year ago

          deleted by creator

          • @wim
            link
            English
            3
            edit-2
            1 year ago

            Sorry, I should have included an example in my comment to clarify, but I was in a rush.

            HMAC is a widely used technique relies on hashing of a shared secret for verifying authenticity and integrity of a message, for example.

    • @Kilamaos@lemmy.world
      link
      fedilink
      English
      31 year ago

      Of course. You receive the password in plain on account creation, do the process you need, and then store it hashed.

      That’s fine and normal

        • @Vegasimov@reddthat.com
          link
          fedilink
          English
          51 year ago

          When you create an account you type your password in. This gets sent to the server, and then it is hashed and stored

          So there is a period of time where they have your unhashed password

          This is true of every website you have ever made a password on

            • @Vegasimov@reddthat.com
              link
              fedilink
              English
              -11 year ago

              I’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process

          • @dangblingus@lemmy.world
            link
            fedilink
            English
            -71 year ago

            So why would an agent at Larian have man-in-the-middle access between the password being sent to the server, and the auto-hash?