Are there any plans to update the security protocols in place? I updated my email on my account and was sent a new password in plain text. This is a very insecure and out of date process in web technology and makes me worried about how emails and passwords may be stored in the database.

Anything that can be shared about the security of the email and password database would be helpful.


Thanks.

When updated your email, you were sent a temporary password. That’s so you can log in and change it to whatever you want. Passwords are not stored in our database. Emails are kept but are only visible if you select the option to allow others to see it. It is always visible to staff members.

If I had mistyped my email address to one that was valid for someone else, they would have been given full access to my account - that’s a security problem. (By mistyping my email, that recipient _also_ gets a fresh plaintext password they can use).

It is incorrect that password is not stored - it has to be, that’s how authentication works in software. That you were able to send it to me in plain text means the codebase is able to know it - which means it’s likely stored in the authentication database in a way that can be easily decrypted into plaintext. This is a vulnerability as well.

Is it truly a temporary password? Does it expire? It didn’t force me to change it. Do admins have access to read the user database, given you can read our emails? Are you able to view or change passwords via the database directly?

When you change your email address, this warning is on the screen.



It's your responsibility to make sure what you type is correct. But let's say you ignore the warning and mistype the address with someone else's address. (chances of that are pretty slim). Yes, the temporary password is sent to whatever address you type in. We have no way of knowing if the address you type is yours or not and I don't know of any other site that would be able to distinguish it's validity for you. If you changed the email address and didn't get a new password, then you would know something was wrong. Members have to take some ownership in what they type. Even if it was sent to the wrong person, that person would then need to go to the MagicCafe,enter your username and new password. You sound very paranoid about information so I would assume you would have minimal information in your profile but even so, noone needs to be logged in to read posts or see a profile.

Yes, your password is stored in a verification database for login purposes but the only person with access to that database is our single tech person and the owner of the Café. It cannot be searched but anyone.

Temporary means it is a computer generated password that you can change if you wish. It doesn't expire. Admins, (there's are only two of us, by the way) cannot read the data bases nor do we have access to it. We cannot read your emails or your PM's. There's an entire section in our rules forum about this. Also, since we don't have access to the database, we cannot arbitrarily change or view passwords.

Bottom line here is anyone can view any members profile whether or not they have access to the account. That profile only shows what you have allowed others to see. The only thing another member could do if they had access to your account would be to make a post seemingly from you which could easily be removed if you saw it happen. In the 21 years of existence, hacked accounts have happened maybe once or twice so I believe your concern is an overreaction.

This isn't about avoiding responsibility; I recognize The Magic Café is not forcing me to type my email address wrong. However, it is not uncommon that someone may mistype an email accidentally - auto-correct on many browsers, without correctly identifying an input field as an email input, can get in the way more than it helps. I acknowledge that emails are more typically typed correctly than other pieces of data, but it's an unnecessary risk with easy solutions.



Correct - the email received includes all this information: the correct user name and password to log in. Modern web security best practices recommends against sending passwords in plain text to users. The email does not include a hyperlink directly to The Magic Café, so that would slow someone down from taking advantage of this information, sure.



This is an unfair judgement. I'm not paranoid about the minimal amount of information I have in my profile (I have as little as I am able, and would love to have less), but it would be very easy for someone to impersonate my account - they've been given my username, and an active password; they could log in and post as me... and, since I no longer know the active password, I am unable to login and don't know how I would go about reporting this problem given that I couldn't log in or reset my password (because the email would be incorrect).

I am simply someone very familiar with the web application industry and know that this kind of security process would not fly if implemented today.



Does the owner and tech person have access to read the passwords? I suppose the answer doesn't matter, as it is possible - because the password can be sent in plain text, it is possible for those two people to read my password. Likewise, this is not up to best practices in the web development field, and can possibly put every single account at risk should the database become compromised (a thing that has happened numerous times to many other significantly larger organisations over the last few years)



Knowing it is common for many people to re-use emails and/or passwords (which is strongly discouraged by many security practitioners but often ignored), I think it is a reasonable conversation to have and for members to be aware that their email and/or password (of which they may be using on other sites) are not protected with modern, industry best practices.

From the rules forum


Note that we cannot read private messages because we don't know the members password. Many times our members have forgotten their password and asked us to send it to them. In each case, we have reiterated that we cannot see passwords, so think what you may, we cannot view your password.

In any event, to answer your original question, NO. There is no reason to do so. The only information visible to anyone on the Café is that information which you have chosen to show.
As for posting less information in your profile, currently you only have your username, number of posts made and the date you registered. How much less could you have.

If you ever had an issue that you needed to report but couldn't because you couldn't log in, you could always send me an email.

I would love to have been able to change my name to something less identifiable but that request has been pending for just shy of 14 months.

My personal email address is available in a database with questionable security practices and would love for that to not be true, too. I know it is not possible, but there is not a way to close my own account to be certain it is no longer on file.
If you are able to close my account such that it no longer exists, that would be helpful.

Thank you.

Passwords are typically salted and hashed so even if an admin were to look at the Users table the passwords would be useless. They’re not stored as plain text, and even two users with the same password would have different values in said database Users table because of the salt.

Now that’s how most systems are set up. I can’t actually speak to the sophistication of the system here.