[Suggestion?] Servers that do not hash passwords

account
security
password
privacy
#1

Some time ago I was just messing around with my own server. I didn’t run one, I was just trying codes, experimenting the capabilities, learning and at the same time creating any kind of code possible. Can’t remember why, but after a short period of time for some reason the hype for creating a gamemode went away. It was either personal life reasons or some other reason having to do with computing. Has been quite a while since I took a look back at FiveM. Not long ago I started watching some videos of a role-play server that had many twitch streamers playing in it. I got interested in that server. But… When I registered on that servers forum, went on to settings to change a few of them, I found that you can connect your forum account with your Discord. Here is a little glimpse of the setting page what it looked like:

After seeing the “Show” button in the Password line I wrote a profile status on that servers forum basically saying that the owner or whoever set up the forum is up to no good, because that “Show” button means that the passwords on that forum are not hashed/encrypted in any way and posted this video:

One person replied that it has to do with the user clicking on “Save password” when the browser asks if you want to save the login information. So then I tried logging in through Microsoft Edge and not saving the login information. So I went to that exact same setting page and the “Show” button was still there even if I didn’t save the password. So this has nothing to do with the browser login information saving.

I then went on to search more about the forum. I found out that the forum page was registered ~2016 and the forum software used at that time had the capability and by default was set to hash/encrypt forum user account passwords. Which means the owner or the person who set up the forum changed the forum settings not to hash/encrypt account passwords. Which basically means that person or a group of people who thought of doing that are up to no good. After ~2 days I was met with this sweet message in the forum:

My suggestion in this topic would be to stay away from servers that do not hash/encrypt passwords and there should be a rule added if there isn’t already one that would not allow server owners not to hash/encrypt account passwords exposing the possibility of great damage happening to lots of people.

0 Likes

Servers that do not hash/encrypt account passwords
#2

That does not mean there not encrypted its simply letting you see the password before confirming there is a lot of people that do this so you dont accidentally make a typo.

Some sites also do this with logging in such as banks and what not so you can see if you are typing it correctly.

but in your example this is happening before the account is even made.

either way, any site has the ability to let you see your password whether its encrypted or not.

0 Likes

#3

As stated above, if that’s the form to request the binding of the two accounts, there’s no issue with “view password”. If it’s in the user’s account panel and the password is being provided to them without their submission, then it’s not being stored using a 1 way hash.

0 Likes

#4

Just wanted to add onto what is stated above. When you type in the password into the field whether it’s when you register, login to change a setting you are literally typing the password as is. If your password is ‘password123’ that is what you type. The field is so you can actual type in it and all the field is doing is changing the characters on “front” side to show as dots but the actual password is still there and when you press submit or whatever that is when it get hashed by the software.

Next time I would recommend you look into how these things work before you freak out.

0 Likes

#5

The picture was made in the account settings and not while creating the forum account. You can go to the account settings after 120 days, click on the “Show password” button and still see the password. It was a setting where you could associate your Discord account with the forum account. You would go to that setting page, could click on the “Show” button and see your password in plain text. This was not during the account creation.

I know this. During account creation, some websites allow to see the password you want to use so you don’t involve mistakes in your password. But the Discord association with the forum setting was viewed after creating the account. And I double checked it one day after. I still could have viewed the password. If it was what you said it was or it was something else and that could have been explained to me without any problems, then why was I forum banned? Why did they feel the necessity to forum ban me?

0 Likes

#7

I just did exactly what you did and no password is being inputted meaning the browser is saving your password.
You clearly banned for the right reason. They don’t take stupid stuff anywhere on their server.
I have setup many website uses Xenforo and no version has ever had an option to not hash a password.
If you don’t like that you password gets saved on the browser then you should disable it being saved from within your browser settings.

0 Likes

#8

I think you are misunderstanding what/how the browser affects passwords. When you type in a password, it will display as dots, because the input type is password. If you inspect element and change it from password to text, you can see the password in plain text. This does not affect how your password is hashed/salted/stored. Clicking the Show button only changes the inputs type from password to text so you can see it. When you click Login/Submit/Register that password is sent to the websites php, or whatever they are running. They hash/salt it, and then store it.

When your browser asks if you would like to save the login information, this information (email, password) is store on your computer locally. This does not affect how passwords are stored on the website/server side.

because that “Show” button means that the passwords on that forum are not hashed/encrypted in any way

The show button just changes the view of the input from dots to text. You aren’t actually submitting dots as your password. It shows as dots as a security measure. Say you were streaming on Twitch, all they would see is dots, unless of course, you clicked Show password.

0 Likes

#9

I have to make my replies as short as I can or else it says it requires a moderator approval and it never gets posted lmao. I could send you more information if you would like in PM’s of course.

0 Likes

#10

I wonder how you knew what forum I was talking about. The fact that you said I was banned for the right reason is a dead giveaway so I won’t waste anymore time replying to you. Also mind the fact that you ignored that I went on to another browser, logged in to the same forum, didn’t save the password and still could see the password makes you a big ignorant.

0 Likes

#11

And I don’t know how many times I will have to repeat myself, but I’m repeating again, I went on to try with another browser that did not have the password saved, I logged in to that forum, did not save the login information and still could have seen the password.

0 Likes

#12

You logged into that forum. it just put your password in the box?

0 Likes

#13

Lol dead giveaway about what? The first image literally says the server name in it but you think what you want. The browsers can share information so it’s possible that you have the browsers sharing information. You might want to look up what ignorant means because that last sentence makes absolutely no sense.

Like I said in my last post, I did exactly what you did and it didn’t save any information or show anything when I went to it.

Would you like a video of it not showing anything?

0 Likes

#14

This is not about the registration/login fields. This is in the account settings. I went on to try out with another browser that did not have the password saved. I logged into that forum, did not save the password. That’s it. I’m logged in. Then I go to the account settings and clicked on a setting that would allow to associate the forum account with your Discord account. And in that setting page you could see this:

Why don’t I just private message you the forum link and you can see it for yourself?

0 Likes

#15

This will be the third time of me saying that I did exactly that and nothing is there.
Not sure how many times this will be but it’s your browser putting in the password.

0 Likes

#16

You realize this means nothing right? just because it allows you to see your password it does not mean its not encrypted.

Its not that hard of a concept to understand.

And this topic is so unnecessary as FiveM has no control over how server owners manage there servers, if you got an issue take it up with them although this one i wouldn’t bother as its literally not even an issue just you being paranoid.

Don’t tell your browser to save passwords if you don’t want it to auto fill there.

0 Likes