Honestly, this is one of the most basic functions on any site and I'm still a bit shocked FlightRising has the archaic "reset your password or you're screwed" mindset.
Why?
My password auto-fill constantly fails on this site, and I don't want to have to remember a painfully long password every time I come here, especially when "forgot password" leads to me having to change it every single time.
That's like replacing your engine everytime you run out of oil!
Please, for all that is holy, implement a basic password recovery system instead of password resetting only.
Honestly, this is one of the most basic functions on any site and I'm still a bit shocked FlightRising has the archaic "reset your password or you're screwed" mindset.
Why?
My password auto-fill constantly fails on this site, and I don't want to have to remember a painfully long password every time I come here, especially when "forgot password" leads to me having to change it every single time.
That's like replacing your engine everytime you run out of oil!
Please, for all that is holy, implement a basic password recovery system instead of password resetting only.
Isn't password recovery rather old fashioned these days? I can't remember the last time I used a site that used recovery instead of reset.
Recovery always seems like just cutting a new key if you lose yours. Reset is like changing the lock.
Isn't password recovery rather old fashioned these days? I can't remember the last time I used a site that used recovery instead of reset.
Recovery always seems like just cutting a new key if you lose yours. Reset is like changing the lock.
UK time. Sorry for timezone-related delays in responses. They/Them.
@Hyoka what do you mean by a basic password recovery? Like they email you your password?
In short, you shouldn't trust any site that can do that (and bc this kind of thing is really interesting to me, I'll explain, but I am very bad at keeping things short). The important bit is: no support, and I'd suggest just keeping your password written down somewhere.
Storing passwords is a bad idea as it is very insecure - even if everything is encrypted, that would mean a database of passwords would just be sitting there, and if someone got access to said database and found the key they'd be able to get into well over a quarter of a million accounts. If the keys are fully randomised, there'd be another database with all the keys (and it's also too much effort); if the keys are based on the username or password or any other kind of pattern, that can be found.
What FR hopefully uses (as implied by only being able to reset passwords and not recover them) is hashing, which to my knowledge is simply adding a string of characters to the encrypted password. I don't know the exact process (I believe it varies) but it is designed to be a one-way system, so when you log in the site encrypts and hashes your password, then checks it against the encrypted + hashed one in the database, which means the site doesn't actually store your password. The process cannot be reversed, so if the hashing algorithm used is good enough then a hacking attempt is fairly useless.
It's all explained more clearly in this video. In short, you should not trust any site that emails you your password, since this means they're seriously slacking on security (...I doubt asymmetrical encryption, ie. using different keys to encrypt and decrypt, like RSA has any advantage over hashing). It may seem archaic, but it's actually more modern, and a necessity now that we have incredibly powerful computers that can just use brute-force to crack passwords stored insecurely (massive oversimplification).
@Hyoka what do you mean by a basic password recovery? Like they email you your password?
In short, you shouldn't trust any site that can do that (and bc this kind of thing is really interesting to me, I'll explain, but I am very bad at keeping things short). The important bit is: no support, and I'd suggest just keeping your password written down somewhere.
Storing passwords is a bad idea as it is very insecure - even if everything is encrypted, that would mean a database of passwords would just be sitting there, and if someone got access to said database and found the key they'd be able to get into well over a quarter of a million accounts. If the keys are fully randomised, there'd be another database with all the keys (and it's also too much effort); if the keys are based on the username or password or any other kind of pattern, that can be found.
What FR hopefully uses (as implied by only being able to reset passwords and not recover them) is hashing, which to my knowledge is simply adding a string of characters to the encrypted password. I don't know the exact process (I believe it varies) but it is designed to be a one-way system, so when you log in the site encrypts and hashes your password, then checks it against the encrypted + hashed one in the database, which means the site doesn't actually store your password. The process cannot be reversed, so if the hashing algorithm used is good enough then a hacking attempt is fairly useless.
It's all explained more clearly in this video. In short, you should not trust any site that emails you your password, since this means they're seriously slacking on security (...I doubt asymmetrical encryption, ie. using different keys to encrypt and decrypt, like RSA has any advantage over hashing). It may seem archaic, but it's actually more modern, and a necessity now that we have incredibly powerful computers that can just use brute-force to crack passwords stored insecurely (massive oversimplification).
Password reset is pretty insecure, it's better for everyone in the end if nobody knows your password but you.
Password reset is pretty insecure, it's better for everyone in the end if nobody knows your password but you.
No support, I have never been on any site that doesn't require you to reset your password. Flight Rising is no different, and as others have stated, it's not secure.
No support, I have never been on any site that doesn't require you to reset your password. Flight Rising is no different, and as others have stated, it's not secure.
EDIT: Stupid typo, oops.
No support due to technical reasons.
Passwords are no longer stored in encrypted form, but as hashes. Hash functions are one-way functions that translate a variable-length character sequence to a fixed-length result bytecode. This bytecode, usually combined with a random and saved sequence of characters before computation, is persisted as your password and salt.
When logging in, your input, combined with the stored salt, is calculated to its hash representation. This representation is then compared to the stored bytecode. If it matches, the password is assumed* correct.
This resulting bytecode cannot be back-calculated, hence your password cannot be recovered and needs to be reset instead.
Storing the password as is in an unencrypted or even in an encrypted form makes it more vulnerable to cryptanalysis attacks if the database gets leaked.
Passwords are no longer stored in encrypted form, but as hashes. Hash functions are one-way functions that translate a variable-length character sequence to a fixed-length result bytecode. This bytecode, usually combined with a random and saved sequence of characters before computation, is persisted as your password and salt.
When logging in, your input, combined with the stored salt, is calculated to its hash representation. This representation is then compared to the stored bytecode. If it matches, the password is assumed* correct.
This resulting bytecode cannot be back-calculated, hence your password cannot be recovered and needs to be reset instead.
Storing the password as is in an unencrypted or even in an encrypted form makes it more vulnerable to cryptanalysis attacks if the database gets leaked.
In pinging me I assume consent to be pinged back. This is because I disabled signature display (too many intrusive banners)
Solar stance time difference: +9 Hours FRT
I couldn't have said it any better than Ettanin just did and if you have a hard time remembering your passwords like I can't remember any of mine, there are many handy printable password sheets to use (I have 3 of them for easy categorizing).
I couldn't have said it any better than Ettanin just did and if you have a hard time remembering your passwords like I can't remember any of mine, there are many handy printable password sheets to use (I have 3 of them for easy categorizing).
I'm +10H ahead of FR time!
Replies may be slow, so sorry ;w;
No support for safety reasons, as detailed above. Essentially, if they could return your password easily like that, that means someone could steal your password fairly easily too.
No support for safety reasons, as detailed above. Essentially, if they could return your password easily like that, that means someone could steal your password fairly easily too.
Collector of
Sickle Claws
Organics
It is regarded as unwise to harvest claws of a kamaitachi. These weasels travel in family units, and the survivors are known to hunt collectors down.
50
A lot of the things said here involve someone already having your e-mail.
Password recovery involves sending an e-mail with your password in it.
To retrieve it, someone would already need access to your e-mail.
Password resets send an e-mail where all you do is enter a new password and you're in.
It's not a higher level of security at all.
If you have someone's e-mail that you want to hack the account of, you still can get in as easily either way.
And again, they both serve a function for forgotten passwords.
And I can think of a lot of sites that still use recovery instead of reset, because it simply makes sense.
A lot of people forget their passwords.
Completely changing it to a NEW one makes 0 sense just because you forgot it.
Most people keep dozens of different passwords for security reasons.
A game site isn't taking priority on a piece of paper.
A lot of the things said here involve someone already having your e-mail.
Password recovery involves sending an e-mail with your password in it.
To retrieve it, someone would already need access to your e-mail.
Password resets send an e-mail where all you do is enter a new password and you're in.
It's not a higher level of security at all.
If you have someone's e-mail that you want to hack the account of, you still can get in as easily either way.
And again, they both serve a function for forgotten passwords.
And I can think of a lot of sites that still use recovery instead of reset, because it simply makes sense.
A lot of people forget their passwords.
Completely changing it to a NEW one makes 0 sense just because you forgot it.
Most people keep dozens of different passwords for security reasons.
A game site isn't taking priority on a piece of paper.
[quote name="Hyoka" date=2016-10-01 11:11:23]
And I can think of a lot of sites that still use recovery instead of reset, because it simply makes sense.
[/quote]
@Hyoka
To recover your password, it has to be stored in a way that it can be encrypted [b]and[/b] back-calculated safely.
[b][u]This[/u] is not safely possible[/b], because it would require storing a database decryption key somewhere. Good luck if a hacker obtains it after a database leak ;)
Do you know what happened to Adobe (Misusing 3DES-EDE) or how Sony (No encryption, PWs in plain text) screwed up a few years before?
Secure password storage is in [i]hashes[/i] which cannot be back-calculated and even do not require encryption (hence no necessity of insecurely depositing a decryption key) because of this property.
Hence, [b]resetting is the only option.[/b]
TL;DR and PSA: Sites that have recovery instead of reset are inherently vulnerable to data leak. If "a lot" of sites have that option, better change the password there and don't use the same elsewhere.
And I can think of a lot of sites that still use recovery instead of reset, because it simply makes sense.
@Hyoka
To recover your password, it has to be stored in a way that it can be encrypted and back-calculated safely.
This is not safely possible, because it would require storing a database decryption key somewhere. Good luck if a hacker obtains it after a database leak ;)
Do you know what happened to Adobe (Misusing 3DES-EDE) or how Sony (No encryption, PWs in plain text) screwed up a few years before?
Secure password storage is in hashes which cannot be back-calculated and even do not require encryption (hence no necessity of insecurely depositing a decryption key) because of this property.
Hence, resetting is the only option.
TL;DR and PSA: Sites that have recovery instead of reset are inherently vulnerable to data leak. If "a lot" of sites have that option, better change the password there and don't use the same elsewhere.
In pinging me I assume consent to be pinged back. This is because I disabled signature display (too many intrusive banners)
Solar stance time difference: +9 Hours FRT
Collector of 