I have a strong suspicion about a particular forum website that is recording users' passwords (without encryption) every time they try to log on. So the admin can see the password for every user.

I know the servers for this website are hosted in the United States. Is this breaking any particular laws?

 

Nope.. You only get into certain laws like that for credit card transactions..

 

I have a strong suspicion about a particular forum website that is recording users' passwords[...]

How else would you log in?

The administrator has access to everything on the server, that's the point.

 

How else would you log in?

The administrator has access to everything on the server, that's the point.

No, this is not how it is done.

Check this video out for more info on password storage: https://www.youtube.com/watch?v=8ZtInClXe1Q

 

Only a matter of statistics. Recently (a few days ago) "they" hacked into a wiki I created on my domain website- filling up the database with 100s of Mbytes of SPAM- all automated.

They gained the password from somewhere. It is a password I use for many years. Recently I started to use a different one for most my accounts.

I got a notice from my ISP and simply deleted the wiki- there was not much in it, just one page about Steatoda Nobilis spiders.

If you log in with the same password into many websites, it is a matter of time until it gets stolen somewhere, and hackers will try it everywhere.

2

If they trade the password or give it to someone not involved with the maintenance of the website, it is a criminal act, such as privacy breach, wire fraud and so on. Chances are they are as well involved into other crimes such as software piracy and things I dont want to name.

If you log into a forum which allows "warez", good luck.

How do you know their ISP is in the US?

 

No, this is not how it is done.

Check this video out for more info on password storage: https://www.youtube.com/watch?v=8ZtInClXe1Q

I'm failing to see how what I said implies, or otherwise is refuted by what I said.

The administrator has access to the salt key, and the hashing algorithm(they made/incorporated it). The admin could, theoretically, recover all of the passwords.

 

Let us establish a few things.
1. It is their forum.
2. You go to their forum and use it.
3. You follow their rules.
4. If you don't like their rules, don't use their forum.

I have several e-mail accounts, none of them use my real name. I use them for registering to various forums. So basically I have several identities, each identity for specific area of my interest.

 

I'm failing to see how what I said implies, or otherwise is refuted by what I said.

The administrator has access to the salt key, and the hashing algorithm(they made/incorporated it). The admin could, theoretically, recover all of the passwords.

Hashing algoritmhs are not invertible. Or at least, they shouldn't be. Over the years, new hashing algorithms and methods are created, a few years later someone breaks them and the search for a better hasher ensues.

Another safety feature is that most probably those security measures and encoding procedures are offered as certified, stand-alone libraries of code, which admins embed in their sites. They don't have to write the code from scratch, complete with bugs.

To convey my thoughts better, yes, the admin of any subscription site could be storing the passwords in plain .txt. But that isn't in the admin's interests (usually).