This site works best with JavaScript enabled. Please enable JavaScript to get the best experience from this site.
I just noticed that the database that OKB3 uses to keep track of users stores the user's passwords in plain-text in the database. This is a HUGE security flaw. Passwords should NEVER be stored anywhere in plain-text and this needs to be fixed, and as soon as humanly possible.
The majority of user account breaks occur because one site had poor security on their server and they stored the user's passwords in plain text, giving the attackers access to a ton of user's other accounts because people tend to use the same password over and over again.
Also, if someone is using this plugin and the forum's database is on a different server, the passwords are being sent over the network in plain-text (since you are unable to force SSL usage) and anyone could pick up that transmission and collect people's passwords.
You should be hashing the password the moment your plugin receives it, store the hash of the password, and compare the hashes. Never doing anything else with the plain-text password except for the initial hashing.
This is not ok at all. Please fix, because I can not in peace of mind let anyone be put in this kind of risk.
Please read sections 3.1.1 and 3.1.2 on this document to learn a bit about proper password handling:http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
I'll see if I can' dig up a bit more on documentation if you would like.
http://dev.bukkit.org/server-mods/okb3-renewed/#c128
To post a comment, please login or register a new account.