Is there anything stopping the owners of this site from taking our passwords?

[Hanna]

isn't it encrypted? o_o

Another thing:
Universal passwords are a horrible idea.
My cousin uses the same password for his bank account as he does for WoW
>_>

[Cho]

This is why people try to make their passwords easy to remember...If your e-mail gets stolen and someone changes the password on that, then you'd get pretty screwed over.

Even if you have to write it somewhere just in case, keeping the paper somewhere where only you will have access to it.

Why would they take our passwords, anyways?

[Hanna]

This is why people try to make their passwords easy to remember...If your e-mail gets stolen and someone changes the password on that, then you'd get pretty screwed over.

Even if you have to write it somewhere just in case, keeping the paper somewhere where only you will have access to it.

Why would they take our passwords, anyways?

I agree.
I kinda? have a universal password
I use what it's relevant to

this isnt my actual bank password and the number set I use (I'm not that stupid) but

like (including caps)
Chase5654567345
or for paypal
Paypal56567345
mabinogi
Mabi5654567345

it's the same.. but it's not the same
and most people don't think of that xD

[Cannibal]

I'm not exactly sure what use your password would be to anybody, lol.

I think they're encrypted, though. But, Osay would be too lazy to get it anyway, so there's nothing for your to worry about it.

[Lie]

You could always use variations of more than one universal password.

[Xemnas]

I honestly doubt anyone high up would even try something like stealing passwords (yet...),and all my passwords are randomized letters, numbers, or a combination of both. I can remember any type without writing them down, you just need to concentrate or learn to associate codes with certain things so it's burned into your memory.

[TA]

I've answered this before, so I'll just leave my post here:

The only thing stored "encrypted" are passwords, and even we cannot access those. We can change them, but we cannot view what one is, because it simply does not exist within the server in a readable format.

vBulletin uses MD5 and SHA1, but you should keep in mind that MD5 and SHA1 are not encryption algorithms, but are hashing algorithms. As such, they cannot be decrypted as the hash does not include the original data.

Passwords are stored in the following format:

Code:

$password_hash = md5(md5($password_text) . $user_salt);

tl;dr - nobody can get your password. They're hashed, not encrypted. They can't be decrypted. It's not possible.

[Osayidan]

Can't get them like TA showed, and I suggest you make yourself one godly password that you remember as if your life depends on it, and then get keepass http://keepass.info/

[Yoorah]

You should not re-use your passwords. Use unique passwords and keep them written down on paper somewhere. Or use one of those automated password management programs, like KeePass or whatever's more popular these days.

As TA said, by default, this forum software does not store your passwords in the database. Instead, it stores your password's hash, which in simple terms is like a signature of your password. Every time you enter the password into the system for a login, the system converts it to its signature and checks if it matches the signature stored in the site's database. It doesn't compare actual passwords. :3 This is why the system cannot email you your password if you forget it.

That is, if you look at it with a limited understanding of computer security. In practice, you can reverse a hash/"signature" back into the original password if you have the right resources. Proper salting does make this less feasible, but none the less, it's quite possible to get your passwords if an experienced hacker really wanted to do so.

Furthermore, the forum software could be set up to not store passwords as hashes, but rather store them in their original, plaintext form.

Of course, Osayidan wouldn't do something like that, but it's still something you need to be aware of anyway. So like I said, don't re-use passwords.

[TA]

I use Password Safe, personally.

Also, you can use this generator: http://rumkin.com/tools/password/pass_gen.php

Try a string like so:

Code:

abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXYZ234679!\"?$%^&*()_-+={}[]:;@'~#|<>.,/

Keep it at like 18-22 characters or so.

Some examples (don't use these):
(ATi"u!jjzH&]NQ_\Xu>Q|
xJKhy+K3VU|X=-&);;ddgr
_Xd{cx@q{hsvJ^??Xo2Zo,
PujTUte!_o3V*!hDH"/&&Z
hvg*yd^bgxE~_d9rFd3Tjy
NCX$/?4Li|v_!t$E)|?P)s
eAjuQ)MmLQ'M:pt#$7dZVz

If you want to make it more complex, you can throw in a few alt codes and it makes it orders of magnitude harder to brute force. Every character you add also exponentially increases the difficulty of cracking it.

edit: Also, use a different password for everything. Use a different e-mail for important things. You can route all of the e-mails to a central e-mail so you don't have to check all of them.