Jump to content



Photo

You are storing our passwords plaintext!? *sigh


  • Please log in to reply
3 replies to this topic

#1 Grennba

Grennba

    Member

  • Members
  • 1 posts

Posted 20 October 2010 - 02:41 AM

I just wanted to say that the FFG website has really started off on a bad foot. I love your products, but you've really disappointed me here with this one thing...

As soon as I registered for the FFG website, I had my password emailed to me plaintext.

While some may not see why this is so unnacceptable, for someone who regularly deals with security issues at work, I am not happy to see this. Not only does this mean that you have broadcast every user's password over a very insecure channel, but it also shows a general lack of care for user security in your systems.

I welcome you to read any book on secure coding or computer security, most will at least mention the manner in which you should handle user passwords. In general... you should refrain from storing anyone's password in plaintext, anywhere on any system. The only time that FFG (or anyone) should be able to see a password is when they are entering it for the first time. As soon as the password has been entered into the system, FFG should hash it, and immediately wipe the memory that the plaintext portion of memory that the password was on. By following this simple protocol, not even FFG should be able to retreive the passwords that are entered. To check to see if the password has been entered correctly you can simply has a users password input and compare that with the hash you have stored in your database. But there is absolutely no need to store our passwords at any time in plaintext. (There are many more precautions to take into account while handling these passwords, specifying it as a critical section of code, salting the hashes, etc..)

Though you may not consider this a big deal, it is a potential lawsuit waiting to happen for FFG. And I personally don't want to see FFG get bogged down in lawsuits when what they need to be doing is supplying me with a steady stream of entertainment. ;)

If someone were to take advantage of this security hole and collect user passwords, they could then take those user passwords and attempt to use them on other websites. While it is true that you should never use the same password in more than one place, I think we all know that quite a few people don't follow this standard. So if it is found that FFG leaked someones banking password to a criminal, it is possible that someone would try to point the finger at FFG.

 

So go spend a couple more bucks on the site's security, it'll be worth it in the end,

- - Grennba



#2 EdgarColin

EdgarColin

    Member

  • Members
  • 8 posts

Posted 02 November 2010 - 04:13 PM

yes it is great..

_________________________________________________

Ford shocks and struts
Toyota quick strut
Nissan quick strut
 



#3 The Spaniard

The Spaniard

    Member

  • Members
  • 61 posts

Posted 10 November 2010 - 04:51 PM

 Thanks for your insight, we'll look into this!!

cP
FFG


Christian T. Petersen

Fantasy Flight Games


#4 asri

asri

    Member

  • Members
  • 30 posts

Posted 13 September 2012 - 04:55 AM

Nearly two years later, nothing's changed. Do you even care about this?






© 2013 Fantasy Flight Publishing, Inc. Fantasy Flight Games and the FFG logo are ® of Fantasy Flight Publishing, Inc.  All rights reserved.
Privacy Policy | Terms of Use | Contact | User Support | Rules Questions | Help | RSS