FurBuy: Your Unencrypted Passwords Are Safe With Us!

[Conan]

Welcome to the year 2014. Yesterday, someone finally noticed that the pile of PHP shit code known as "FurBuy", which has operated since 2000 (y'know, 14 years ago) and successfully beats out FA for ugliest website, sent you your password in plaintext when requesting a "reset" email.

@TimeSuppression: #ProTip properly encrypt your user database and don't email users their passwords. That's the worst thing you can ever do @furbuy.

What happened next is your typical Furry Response. I saw it while I was at work, and neglected to save it. The tweet(s) has since been deleted (of course), but please enjoy this dramatic reenactment:

Encrypted passwords are dumb nerd shit!!! This has worked for 15 years!!

OK, that's not exactly what was said, but the point is basically the same. Whoever was on the FurBuy account was fairly dismissive of the idea that not encrypting your passwords is a security flaw.

While the FurBuy tweets are gone, the responses remain. You can still kinda tell what was going on with this user's replies.

FurBuy ultimately spinned this as "drama" (the usual response to all things Furry) and assured users that accounts were "100% safe".

Despite recent drama we want to re-assure all users that your accounts are 100% safe on our system.

The 100% Safe FurBuy then pulled password resets offline and is now building a new system and investing in a SSL cert.

[magus]

This can, of course, safely be summed up with (Juranning Intensifies) at every stage, but it's so wonderful to see how another of Furry's self-appointed God-Coders just fails to grasp basic security.

[SuperBarrioBrothers]

"Encrypted passwords are dumb nerd shit!!! This has worked for 15 years!!"

Let's not forget that Furbuy is a Jurann project.

Yes, "My Ass is Hungry" Jurann. Yes, the guy who got chlamydia at CF10 and announced it to the world via the Purple Nurple bulletin board (because he was so fucked up that weekend, he couldn't remember everyone who used him as a semen dumpster) Jurann.

He hated work to the point where he found a sugardaddy in his area (Oskar) and sponged off him until Oskar prematurely died.

So why is anyone surprised that one of Jurann's many attempts to make a name for himself was a failed Web 1.0 auction site, designed to take Furbid down, that he's not touched since it was obvious that a majority of fandom wasn't going to use it.

Coding is work...

[magus]

So why is anyone surprised that one of Jurann's many attempts to make a name for himself was a failed Web 1.0 auction site, designed to take Furbid down, that he's not touched since it was obvious that a majority of fandom wasn't going to use it.

Coding is work...

Yup. Of course these days he seems to be dumping most of his 'brainpower' into some kind of bizarre e621 competitor, so he probably doesn't have much time for old and busted auction sites.

[Zinn]

I thought this was hilarious till I learnt it was Jurann running it. Despite being pathologically work shy, it would just take a less than a minute to fix.
Simple search: http://webcheatsheet.com/php/md5_encrypt_passwords.php Copy and Paste, job done and profit.

If he wanted to understand what the hell the code was doing, Code Academy runs a four hour crash course in pHp. SSL and pulling resets offline are only going to be quick fixes that avoid the main issue but hit at related problems. For a site that handles financial transactions, he really should've invested in better measures. Currently it sounds like a Scammers' goldmine.

[mahadri]

For a site that handles financial transactions, he really should've invested in better measures. Currently it sounds like a Scammers' goldmine.

There isn't much anyone can get from hacking FurBuy since it doesn't handle the actual financial transactions, most information is public, and it'd be hard to game the bidding system, even with internal access. The site's most valuable asset is probably users' passwords, especially if users use the same passwords on other sites, and a username/password dump would cause everyone to flee to The Dealers Den. There's risk on both sides that FurBuy needs to address, especially now that people know that unhashed passwords exist.

Of course, encrypting passwords is only needed if the site is hacked. It'd be better if @FurBuy explained the actual risks involved rather than saying everything's 100% safe, which is never the case. I wish I saved @FurBuy's tweets, because it's obvious from the words they used that @FurBuy is unfamiliar with cryptography, touting encrypting both passwords and the entire database with "two-way" "1024-bit encryption". I don't even. Actually in their defense, it's possible to implement a secure-ish reset system like they have with public key algorithms, but I've never even heard of anyone discussing it, and it's easier to just follow standard practice, and it appears that @FurBuy doesn't have the expertise anyway. I'd even give a large, non-zero probability that the passwords are not encrypted at all.

Coding is work...

And profit margins for websites in the fandom are small to negligible, which is why they're run by people who accept ego stroking as payment while all the professionals ignore the fiasco. It could be much better, but that's a story for another time...

Simple search: Copy and Paste, job done and profit.

I highly recommend https://crackstation.net/hashing-security.htm instead. "There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. Password hashing is one of those things that's so simple, but yet so many people get wrong." Specifically, that link uses unsalted MD5 hashes, which are more easily crackable than other methods. (Rainbow tables exist to quickly crack any 8-character MD5-hashed password.)

[Zinn]

There isn't much anyone can get from hacking FurBuy since it doesn't handle the actual financial transactions

You have contributed wonderfully to this thread, and there's a thing or two I could learn from you. In addition to suggesting the hacker could get access to other accounts if people recycle passwords, I'd say one other thing a hacker could get would be the sadistic satisfaction of griefing the users. Either the internet isn't as cruel as it's made out to be, or @Furbuy has some protection by being an obscure and specialized auction site that most people even within the fandom probably haven't heard of it, let alone anyone outside.

[mahadri]

I'd say one other thing a hacker could get would be the sadistic satisfaction of griefing the users.

Griefing on social media is easier with more opportunities. A few different popufurs per week complain about griefing on Twitter, FA, YouTube, etc.

@Furbuy has some protection by being an obscure and specialized auction site

Yep, not enough return on investment for anything but its intended use.