Thread: Username and passwords

I'm assuming that whoever runs this site has access to the passwords of all the users. Which made me start thinking.

A lot of people use the same usernames and passwords for multiple sites. So if the admins here or on another site have access to what pass you use, they could go to that site (dont remember the address) that checks about a 100 other popular sites for the same username, and use the pass.

Is this true? Do the admins on here, ebay, youtube, all have access to your password?

This is more of a meta forum question, and why do you care?
I'm sure only asher has access to passwords, and he has no reason to use them.

Again, why do you care? If you're worried about it, change your password to something else.

passwords are hashed using a one way algorithm, and stored in a database

When you enter your password, the password gets hashed and compared to the stored hash
If equal, login accepted
If not, login denied

Passwords are not stored in plain text
To do so would be silly and highly insecure

It depends on the forum structure though.

They're stuffed in an SQL database, no?

Originally Posted by Ynot

passwords are hashed using a one way algorithm, and stored in a database

When you enter your password, the password gets hashed and compared to the stored hash
If equal, login accepted
If not, login denied

Passwords are not stored in plain text
To do so would be silly and highly insecure

Is that hashing on client or server side?
Also, would they use a salt (like website name + date or something)? Otherwise someone could use the hash to login to other sites maybe...

To my knowledge, a unique random salt is assigned to each member.
That means every password hash is unique, even if two passwords are the same.
It also means that malicious administrators (which we don't have at DV) cannot use those password hashes to login to other sites.
The VB login JavaScript code MD5 hashes the password client side, then submits the hash to the server.

Asher is the only one allowed to access the database, and most staff don't have FTP access to DV at all, let alone the database - which is monitored in the unlikely event that anyone who had access would ever try to access it.

Highly unlikely that someone on the net is going to be able to get hold of your unique salt and hash after gaining database access, and then crack that with a custom rainbow table (which requires much space, processing power and/or time, and hope that the password is simple) for a plain text password to then search and login on another website. Even then there's obvious precautions against that, just use different passwords for different sites and keep your password/s strong.

See this
http://www.dreamviews.com/community/...1&postcount=13

Originally Posted by RedfishBluefish

Is that hashing on client or server side?
Also, would they use a salt (like website name + date or something)? Otherwise someone could use the hash to login to other sites maybe...

It's done on the server side, if you use a sniffer you can clearly see your password go through in the header file. That's how almost everything works. Secure sites work differently, but DV is no a secure site since there is no dangerous information being passed around.

Thanks for the info guys. Let me just iterate that I am in no way worried about he admins of dreamviews. I just figured it was a good example since I was posting on here

Originally Posted by Rakjavik

I'm assuming that whoever runs this site has access to the passwords of all the users. Which made me start thinking.

A lot of people use the same usernames and passwords for multiple sites. So if the admins here or on another site have access to what pass you use, they could go to that site (dont remember the address) that checks about a 100 other popular sites for the same username, and use the pass.

Is this true? Do the admins on here, ebay, youtube, all have access to your password?

This happened to a dude on another forum. Some dude on the forum (forum 1) made another forum (forum 2) and the dude who it happened to signed up on 2. It wasn't as bad but it is technically hacking so amnyway, in the dudes sig (on forum 1), the dude who created 2 put
"I am a stupid noob" or something like that.