Major security flaw in the website

[kss]

So I recently discovered a serious security flaw in the website that might be putting your passwords at risk.

My brother forgot his accounts password so he used the forgot details feature to get his password back, and it sent him the password in plain text. I was shocked by this so I decided to try it out myself and yeah, that's basically what it did.

This means that the website is storing our passwords either in plain text or using reversible encryption, both of which are very insecure.

Why this is bad

1. If the database gets breached, all your passwords will be exposed. Meanwhile if they were salted or hashed, this wouldn't happen
2. Mike, or anyone else with access to the database can basically freely view all the passwords
3. In case of the first or second one, if there's a malicious person who gets access to those passwords and you happen to be using them on other websites, they can easily gain access to your accounts on other websites.

What should be done instead

1. Passwords should be stored using a hashing algorithm like bcrypt, etc. What this does is, it stores the password in an irreversible form, making it extremely hard to get the actual password to use.
2. Whenever a user logs in, the system will hash their input password and compare it with the stored hash password. If they match, the user gets logged in.

 

[kss]

This is a repost from my other post here

[bloodyvalentine]

You should contact Mike about this : https://www.mmatycoon.com/managerprofilemanager.php?MgrID=155