@alexchapman Someone should point out to this person that if they do any online banking, that uses SSL/TLS encryption...
Discussion
Loading...
@alexchapman Someone should point out to this person that if they do any online banking, that uses SSL/TLS encryption...
@jaybird110127 @alexchapman But they were, and it should have never been released like that. You can deflect and hollar all you want but yes, the damage was done as soon as someone realized that was happening and pointed it out. Now we know you either didn't know or care enough to check for such a serious and obvious security issue. If you didn't know and now you do, then that's at least something and maybe we can get past this if you survive dealing with the people in this community who have way too much time on their hands so will make running something that requires moderation and legal protections very difficult if not impossible for a team of just a couple people.
@GamingWithEars @jaybird110127 Oh come on, there's no such thing as damage was done, the damage yeah was done at the time, but it has been undone with the commit and subsequent release that then fixed that by autohashing all passwords. So drop it!
@alexchapman @GamingWithEars I see both sides of this. Yes, it's been fixed. But the fact is that storing user passwords as plaintext is something you just don't do in this day and age. Even if no backup copies of older server-side databases with plaintext passwords still exist, there's no way to prove a negative like that to anyone who may be concerned. In my case it doesn't matter, as I used a password I've never used anywhere else.
@jaybird110127 @alexchapman @GamingWithEars ok I will admit, that's fucked up. also Alex, do actually tell me one thing, and I ask this with all respect.
what hashing algorithm is it using?
@adisonverlice @jaybird110127 @GamingWithEars Argon2, its stated in the commits I think.
@alexchapman btw, while we're here, another question. how many argon2 iterations does it use?
1+ more replies (not shown)
@alexchapman @jaybird110127 @GamingWithEars also while, yes, it was fucked up, it has been fixed, which is good. i'd also recommend passkey authentication if possible, it is good at what it does. i'm actually working on a CF implementation using CF workers that uses cloud flare workers, and authenticates based on OIDC
1+ more replies (not shown)
1 more replies (not shown)
@jaybird110127 @GamingWithEars Yeah, and that's why as soon as it came to light it was fixed right away. There's no point in holding that against us now its done.
@alexchapman @jaybird110127 And that's good you fixed it promptly. I may make an account if like I say, it can survive what is going to no-doubt be a huge headache for everyone responsible for the development of this. Not holding it against anyone, but this happened so it does give myself and others pause. But I'm taking the wait-and-see approach.
@GamingWithEars @jaybird110127 OK then. Stu and I are not giving up on this, especially since platforms like Discord are doing stupid stuff, and people are getting sick of the state of WhatsApp on Windows now.
1 more replies (not shown)
@alexchapman @NicksWorld Anything that has stored passwords in plain text is not safe to use, even if that is no longer the case. In my opinion, the damage has already been done. I'm glad this came to light. The person who posted this, originally, did everyone a favor, in my opinion.
@Lynn @NicksWorld Not really, the passwords are not in plain text, so its perfectly safe, people just have to make sure they're on the latest release, and if they are that worried, they can go settings and change password.
@alexchapman I see a lot of crap because it's vibe coded more than that. People love to hate what they can't detect. They know people like me vibe codes because we won't shut up about it, or they look at my code and it's painfully obvious. that's about it. That's what they don't realize.
@serrebi Yeah, well I had to tell this guy to shut up as I'm not spending all day back and forthing about the same shit.
@alexchapman No kidding. Obviously there are limits to vibe coding. I'm realizing this myself. They should give cred where it's due instead of assuming we're all exaggerators.