WARNING: Passwords stored as plaintext in activation server?

krank

New member
Not sure where to put this, but...

TL; DR: The NESmaker activation system, https://www.softworkz.com/mylicense, has EXTREMELY BAD SECURITY and if you use the same password there as on ANY other site or system, you need to change it. NOW.

And I don't mean change it at Softworks. No, you need to change it EVERYWHERE YOU'VE USED IT.


This is an issue I discovered almost immediately when I received my NESmaker license as a backer. I habitually try out the "resend my password" feature of new systems that require registration.

If the system sends me a NEW password, it's an indication that my password MIGHT be securely stored - hashed and hopefully salted.

Or the devs are just clever enough to obfuscate their poor security.

HOWEVER - if the system sends me my ACTUAL PASSWORD IN PLAINTEXT in an E-mail... that's bad. Oh man, that's bad.

Because that means whoever designed the system has given next to no thought to security. It means my password is stored in plaintext - and anyone who manages to hack into the server or gains access to the database in any other way... also has my password. In plaintext.

Guess what? The Softworkz site sends you your password in plaintext. Over E-mail, no less. Not a new password - I've checked multiple times. The same password.

This... this is BAD.

It gets worse. Since the site has a policy of not allowing you to reuse passwords... that means they also save ALL your OLD passwords as well. And I assume they do so in plaintext.

So... Every password you've ever used on the Softworkz license site must now be considered insecure. If you've used them anywhere else, go change them. Everywhere.


Why haven't I said anything before, if I discovered this back when I first got my license? Well, I wanted to give the Nesmaker people the chance to fix it.
So I contacted them; first using the form on their site on August 10, then again via the Facebook page on August 23.

No response. And now it's been the customary 60 days... So here it is.

I really, really want to be wrong about this, so feel free to correct me.

(Now that I think about it... This site doesn't even use HTTPS, does it? Man oh man...)
 

MrElephant

Member
This is extremely important, and I am glad you brought this up krank. Have you tried reaching out to Mistsonata to see if they can contact the admin team?
 

chronosv2

New member
Just tested this myself. Wow. I don't think the team knew about this when they got started but this really should be addressed.
 

krank

New member
After making this post and a similar one on the Facebook page, I finally got a response from the NESmaker team.

It seems the Softworkz site they use is simply third party. I was included in an E_mail exchange where the Softworkz rep tried some truly horrendous bullshitting tactics, namely:

1) "We encrypt the passwords in our database, but decrypt them when needed". This, I'm sure, sounds reasonable to a layperson. But no, sorry, that's not how it works. If someone can access your servers, and your servers can decrypt my password, then the person accessing your servers can also decrypt my password.

2) "In more secure places, such as bank accounts, passwords are reset instead of resent". First of all, I'd very much hesitate to use a bank that relies on simple username/password systems. Secondly, it's extremely dishonest trying to paint password hashing and password resets as something primarily used on the "banking level". It's standard everywhere, from the simplest "My First Blogging Engine" stuff all the way up.

3) "We decided it wasn't worth the hassle the consumers would have to go to". Yeah sure.

So, AFAIK this is not going to change. My guess is that NESmaker are pretty much locked in with these people at this point, and it doesn't seem like Softworkz are taking this seriously or even care. They seriously just tried bullshitting both me and the NESmaker rep. Hopefully the NESmaker folks take this into consideration in the future and either switch third party or force them to conform to basic security standards. It sucks that they would have to take time off from developing kickass NES software to deal with dishonest assholes like the Softworkz people.

My takeaway: Everyone who develops anything needs basic security training, to at least be able to screen and test for the most obvious stuff & know what to look for in a secure solution.

Also: I'll continue using NESmaker of course, but I'll make DAMN sure not to reuse my Softworkz password anywhere else.

I'll likely continue to monitor this, to see if they change anything, but remember: even if they at this point stop sending us our passwords in plaintext, trust is already broken. There's no way of knowing if they've actually started hashing their passwords or if they just replaced the frontend.
 

Tripdiz

New member
Hi timkb4cq,

the checkbox all users may connect to this network was checked an and I tried both, checking an unchecking it, but every time I have the 120 seconds delay.
What value is important for Connection-priority for auto-activation? My default in the wifi connection is 0.

Roberto
 
Top Bottom