Website intentionally stealing passwords?

Discussion in 'Off-Topic' started by Ryuk, Feb 24, 2014.

  1. Ryuk

    Thread Starter New Member

    Oct 9, 2012
    I have a strong suspicion about a particular forum website that is recording users' passwords (without encryption) every time they try to log on. So the admin can see the password for every user.

    I know the servers for this website are hosted in the United States. Is this breaking any particular laws?
  2. mcgyvr

    AAC Fanatic!

    Oct 15, 2009
    Nope.. You only get into certain laws like that for credit card transactions..
  3. tshuck

    Well-Known Member

    Oct 18, 2012
    How else would you log in?

    The administrator has access to everything on the server, that's the point.
  4. Georacer


    Nov 25, 2009
    No, this is not how it is done.

    Check this video out for more info on password storage:
  5. takao21203

    Distinguished Member

    Apr 28, 2012
    Only a matter of statistics. Recently (a few days ago) "they" hacked into a wiki I created on my domain website- filling up the database with 100s of Mbytes of SPAM- all automated.

    They gained the password from somewhere. It is a password I use for many years. Recently I started to use a different one for most my accounts.

    I got a notice from my ISP and simply deleted the wiki- there was not much in it, just one page about Steatoda Nobilis spiders.

    If you log in with the same password into many websites, it is a matter of time until it gets stolen somewhere, and hackers will try it everywhere.


    If they trade the password or give it to someone not involved with the maintenance of the website, it is a criminal act, such as privacy breach, wire fraud and so on. Chances are they are as well involved into other crimes such as software piracy and things I dont want to name.

    If you log into a forum which allows "warez", good luck.

    How do you know their ISP is in the US?
  6. tshuck

    Well-Known Member

    Oct 18, 2012
    I'm failing to see how what I said implies, or otherwise is refuted by what I said.

    The administrator has access to the salt key, and the hashing algorithm(they made/incorporated it). The admin could, theoretically, recover all of the passwords.
  7. shteii01

    AAC Fanatic!

    Feb 19, 2010
    Let us establish a few things.
    1. It is their forum.
    2. You go to their forum and use it.
    3. You follow their rules.
    4. If you don't like their rules, don't use their forum.

    I have several e-mail accounts, none of them use my real name. I use them for registering to various forums. So basically I have several identities, each identity for specific area of my interest.
  8. Georacer


    Nov 25, 2009
    Hashing algoritmhs are not invertible. Or at least, they shouldn't be. Over the years, new hashing algorithms and methods are created, a few years later someone breaks them and the search for a better hasher ensues.

    Another safety feature is that most probably those security measures and encoding procedures are offered as certified, stand-alone libraries of code, which admins embed in their sites. They don't have to write the code from scratch, complete with bugs.

    To convey my thoughts better, yes, the admin of any subscription site could be storing the passwords in plain .txt. But that isn't in the admin's interests (usually).