You are storing our passwords plaintext!? *sigh

By Grennba, in The FFG Website

I just wanted to say that the FFG website has really started off on a bad foot. I love your products, but you've really disappointed me here with this one thing...

As soon as I registered for the FFG website, I had my password emailed to me plaintext .

While some may not see why this is so unnacceptable, for someone who regularly deals with security issues at work, I am not happy to see this. Not only does this mean that you have broadcast every user's password over a very insecure channel, but it also shows a general lack of care for user security in your systems.

I welcome you to read any book on secure coding or computer security, most will at least mention the manner in which you should handle user passwords. In general... you should refrain from storing anyone's password in plaintext, anywhere on any system. The only time that FFG (or anyone) should be able to see a password is when they are entering it for the first time. As soon as the password has been entered into the system, FFG should hash it, and immediately wipe the memory that the plaintext portion of memory that the password was on. By following this simple protocol, not even FFG should be able to retreive the passwords that are entered. To check to see if the password has been entered correctly you can simply has a users password input and compare that with the hash you have stored in your database. But there is absolutely no need to store our passwords at any time in plaintext. (There are many more precautions to take into account while handling these passwords, specifying it as a critical section of code, salting the hashes, etc..)

Though you may not consider this a big deal, it is a potential lawsuit waiting to happen for FFG. And I personally don't want to see FFG get bogged down in lawsuits when what they need to be doing is supplying me with a steady stream of entertainment. ;)

If someone were to take advantage of this security hole and collect user passwords, they could then take those user passwords and attempt to use them on other websites. While it is true that you should never use the same password in more than one place, I think we all know that quite a few people don't follow this standard. So if it is found that FFG leaked someones banking password to a criminal, it is possible that someone would try to point the finger at FFG.

So go spend a couple more bucks on the site's security, it'll be worth it in the end,

- - Grennba

Thanks for your insight, we'll look into this!!

cP
FFG

Nearly two years later, nothing's changed. Do you even care about this?