# Password concerns



## funnyfarm299 (Mar 26, 2015)

I just received my password in plaintext through my email. This is a HUGE security concern, because it means your entire password database is stored plaintext. If I really need to explain why this is a bad idea, you guys probably shouldn't be running a website.


----------



## tante (Mar 26, 2015)

Was the email from tug?


----------



## funnyfarm299 (Mar 26, 2015)

tante said:


> Was the email from tug?





> Hello from Timeshare Users Group, here is your password to log into the TUG MEMBER ONLY section. Here is your current username and password:
> 
> Username: funnyfarm299
> Password: [redacted]
> ...



And the header is Received: from host.tug1.com (host.tug1.com. [69.16.236.4])


----------



## Passepartout (Mar 26, 2015)

So change your password after you are registered.


----------



## tante (Mar 26, 2015)

Passepartout said:


> So change your password after you are registered.



And don't use this password for any other site.


----------



## DeniseM (Mar 26, 2015)

I will let an Admin give you the full scoop, but your password only lets you log-in to TUG.  It doesn't give you access to your registration info. or payment info.


----------



## funnyfarm299 (Mar 26, 2015)

Ok, the point here is not me, because I use separate passwords for every site. The concern is if the database is compromised, which happens all the time, those passwords are now in someone else's hands. The password should NEVER be readable by anyone.


----------



## funnyfarm299 (Mar 26, 2015)

Passepartout said:


> So change your password after you are registered.



And that doesn't matter because your CURRENT password is stored


----------



## DeniseM (Mar 26, 2015)

funnyfarm299 said:


> Ok, the point here is not me, because I use separate passwords for every site. The concern is if the database is compromised, which happens all the time, those passwords are now in someone else's hands. The password should NEVER be readable by anyone.



They would be able to log into TUG, and that's about it - you can't access your registration and payment info. with your password.


----------



## tante (Mar 26, 2015)

DeniseM said:


> They would be able to log into TUG, and that's about it - you can't access your registration and payment info. with your password.



I think you are missing the point. They are not taking one password from am email, they are taking them all from tug. Then can now try that same login credentials on another site or get more info on the users.


----------



## DeniseM (Mar 26, 2015)

tante said:


> I think you are missing the point. They are not taking one password from am email, they are taking them all from tug. Then can now try that same login credentials on another site or get more info on the users.



How would they take them all?


----------



## tante (Mar 26, 2015)

DeniseM said:


> How would they take them all?



The same way they took data from anthem. Find a way in and copy your database.


----------



## tante (Mar 26, 2015)

Denise. I'll send you a pm tomorrow when I am art a laptop. I had a long post and tapatalk crashed and I lost it.


----------



## DeniseM (Mar 26, 2015)

That's OK - It's really above my pay grade - I will let an Admin address it.


----------



## funnyfarm299 (Mar 26, 2015)

tante said:


> The same way they took data from anthem. Find a way in and copy your database.



Correct. Also of concern is the email itself. Email is by nature, unencrypted and vulnerable to MITM attacks.


----------



## TUGBrian (Mar 27, 2015)

if someone has access to your email, they likely have access to far more dangerous things than your TUG login info....but that would point to a problem with your own computer...not the security of the websites you visit.

per the "storage" of TUG login info...the only thing stored online is your name (submitted) your email..and the username/password you chose when you joined.  no credit card/etc information is stored anywhere on any TUG system online.


Per your comment of "you probably shouldnt be running a website"...I could point you to countless numbers of articles (try google) of organizations who spend countless dollars and have huge staffs in place to ensure personal information is kept confidential...that report lost access to said information.  If someone is good enough, nothing is safe.

That said, we provide plenty of security measures to ensure access to otherwise sensitive data is not easily accessible (I certainly for obvious reasons have no intentions of explaining those details here on the forum)...however for those who truly do not like this...we would most certainly suggest not using the same password as other more vulnerable places (ie your banking info)...but that same advice would apply to any website.  one should always keep and maintain secure and separate passwords for very sensitive sites.


----------



## funnyfarm299 (Mar 27, 2015)

TUGBrian said:


> if someone has access to your email, they likely have access to far more dangerous things than your TUG login info....but that would point to a problem with your own computer...not the security of the websites you visit.
> 
> per the "storage" of TUG login info...the only thing stored online is your name (submitted) your email..and the username/password you chose when you joined.  no credit card/etc information is stored anywhere on any TUG system online.
> 
> ...



I don't have to have access to an email account to read the emails being sent to it. Tools like Wireshark will take care of that.

As to your second point, it's not the password when you joined, it is your CURRENT password.

And I realize data can be stolen at any time, that's why you take measures such as hashing and salting passwords so that when data is stolen, it's difficult/impossible for hackers to read it.

But here, since there's people that have far more experience than me.


----------



## davidvel (Mar 27, 2015)

funnyfarm299 said:


> Ok, the point here is not me, because I use separate passwords for every site. The concern is if the database is compromised, which happens all the time, those passwords are now in someone else's hands. The password should NEVER be readable by anyone.


I am not commenting on how passwords are stored by TUG (or their implementation of vbulletin,etc.) but simply that your presumption lacks both logic and computer science. The fact that they transmit your user/pw via plain text in an email tells nothing about how that information is stored in the database(DB).

You ASSuME, possibly correctly, that this info is stored in plain text in the DB but this is nothing more than an assumption or educated guess. Maybe the standard vbulletin stores them this way or not. Maybe they have tweaked this or not. Maybe they encrypt the info and have a decrypt algorithm before sending it via plain text, or not.  

My point being, you don't know, but you think you do and show up here and this is your first post. Maybe you're planning an attack on the DB, who knows. But you seem more like a troll than a person with a concerned interest. 

But that's just my assumption.


----------



## funnyfarm299 (Mar 27, 2015)

davidvel said:


> I am not commenting on how passwords are stored by TUG (or their implementation of vbulletin,etc.) but simply that your presumption lacks both logic and computer science. The fact that they transmit your user/pw via plain text in an email tells nothing about how that information is stored in the database(DB).
> 
> You ASSuME, possibly correctly, that this info is stored in plain text in the DB but this is nothing more than an assumption or educated guess. Maybe the standard vbulletin stores them this way or not. Maybe they have tweaked this or not. Maybe they encrypt the info and have a decrypt algorithm before sending it via plain text, or not.
> 
> ...



I'm basing my assumption off of the fact that I have created and implemented websites using password management in an SQL database. In order to obtain the password, it either must be stored in plaintext or something like MD5 or SHA1. Both of those standards are decryptable, which means that anyone who obtained the database could do the same.

And this is not at all related to vbulletin. The BBS side of this site does it correctly by generating a unique token for resetting the password.


And to address your concern that I'm a troll, hardly. I'm just a person who has taken college level courses on databases, ecommerce, and cybersecurity.


----------



## TUGBrian (Mar 27, 2015)

the passwords if stored as you mention above would still be sent to you in plain text (after being decrypted).  but at least you have gone from your original claim of "has to be stored in plain text" to "or encrypted/hash/salt/yadda".

and after resetting your password on the TUGBBS, it sends you the new password in a plain text email.


----------



## Makai Guy (Mar 27, 2015)

The original post here is about one's TUG Member password.  I don't know much about that system, so cannot comment on that.

The BBS and vBulletin, though, I do know a bit about.  One's bbs password is definitely NOT stored in plain text in the bbs database.  What is stored is a hash of the password. (If interested, here's a Wikipedia article about cryptographic hash functions: http://en.m.wikipedia.org/wiki/Cryptographic_hash_function).  When you enter your password to log in, it is run through the same hashing algorithm as was used when you first entered your password and the result is compared with the stored hash value.  If the two hashed values are the same, your password entry is accepted, if not it's rejected.  

Hashing is a one way street - you can't 'unhash' a hashed value to get back to a unique pre-hashed password.  This is why we cannot send you your password after the fact, as only the hashed value is available in the database.

The only time vBulletin can email you your password is immediately after you enter a new password -- while your session is still active and it's still in memory.  Once your session ends the memory is cleared and only the hash value in your database entry is then available.


----------



## davidvel (Mar 27, 2015)

funnyfarm299 said:


> I'm basing my assumption off of the fact that I have created and implemented websites using password management in an SQL database. In order to obtain the password, it either must be stored in plaintext or something like MD5 or SHA1. Both of those standards are decryptable, which means that anyone who obtained the database could do the same.
> 
> And this is not at all related to vbulletin. The BBS side of this site does it correctly by generating a unique token for resetting the password.
> 
> ...


Congratulations on your coursework. Some people here were in college before the internet existed. TRS80, commodore64, punch cards, mainframes, etc.  

Troll: A person whose sole purpose is to seek out people to argue with on the internet, or generally causing a ruckus on such forums.

Ok, so you're not a "troll". You're interested in timeshares, buying, selling renting, the whole shebang. 

Or, you're concerned about the users here. "Yeah, that's the ticket." 
Makai Guy nailed it. Nothing to see here, move along.


----------



## TUGBrian (Mar 27, 2015)

I certainly dont mind legitimate efforts and concerns to make the site better!  It at the very least has gotten me chatting with the individual who designed our membership database to ensure it is properly protected (within reason of course).


----------



## Ken555 (Mar 27, 2015)

And...this is a good time to remind everyone to use a password manager like 1Password or LastPass.


Sent from my iPad


----------

