Password security on chess.com?

If you've seen the news today, you may know that Yahoo.com is getting beaten up for poor security practices that led to almost half a million user passwords being posted online. One of the basic mistakes that Yahoo apparently made was to store passwords in plain-text form in an internal database.

When I signed up for my chess.com account, the site sent me the password that I entered back to me as plain text in an email. That makes me think that maybe chess.com handles passwords in a generally unsecure manner.

Can someone from chess.com comment on this security issue?

I am not chess.com staff, however if I access my chess.com email my password is included in the URL as plain text which means it must either not be encrypted or encrypted in some form that allows it to be decrypted. This is potentially insecure.

Passwords should be stored in a form that cannot be decrypted, as decryption is not necessary to verify the password. What should usually happen is the user enters their password, it is encrypted (or hashed) using a one-way algorithm and this result is compared to what is stored in the database. When the user originally chose their password the same one-way algorithm would be used to encrypt the password and store it.

Plain-text passwords in URLs, criminy! I'm giving serious thought to finishing my games in progress and then deleting my chess.com account.

Why would you want to leave when nothing has happened to you yet? Is there anything someone could get if they broke into your account that you really wouldn't want them to? Like there's no info that you have to give chess.com that's top secret like your social security number or something at least that I'm aware of...

Who cares if it's plain-text passwords in URLs? Only people using YOUR computer can see it. That being said, obviously this could be made more secure. But it's not really necessary, except maybe for paying members.

@Elizabeth0: How about Credit Card numbers?

This forum should be moved to "Help and Support," in my opinion.

ChessisGood - ouch! Good point.

Well yes, chess.com has your credit card number when you pay, but it's not like leaving the site will take it away from them... But would someone be able to find your credit card number from anywhere on your account, like does it store it on your account or only go to chess.com? I don't know because my premium membership was a gift.

Mine was too. No worries :)

Hi Elizabeth0,

I think your question, "Why would you leave when nothing has happened to you yet?", is a bit like saying, "Why would you lock your front door when nothing has been stolen from your house yet?"  

Timothy_P, anyone with the right equipment, software, and knowledge can see HTTP requests as they travel around the world on the network.

Yes, the password to my chess.com account isn't as critical to me, personally, as the password to my banking web site.  However, a common mode of online-based theft and fraud these days is to steal user passwords from a low-security site and then take advantage of the fact that most people use the same password on many different sites.

If the chess.com is truly handling passwords in an unsecure fashion (and including passwords plain-text in email and URLs is about as unsecure as it gets), that indicates a level of carelessness with handling personal information about its members. That bothers me enough to consider "voting with my feet" by walking away.

I recognize that others don't the feel the same way, and I'm not really trying to convince anyone to take any particular action. I really just wanted to find out more information from chess.com on this issue.

ChessisGood, I did try to identify the best forum on which to post. "Site feedback & suggestions" seemed a reasonable choice. I am giving feedback and making suggestions about the way the site handles password security.

Only the last 4 digits show on the Account Payment History page of those who upgrade themselves.

So even if someone did get access to the account they wouldn't be able to see the credit card number.

kohai, can you confirm whether the credit card numbers are stored in their entirety within chess.com's databases though?  Best practice is to immediately delete the record of a credit card number once the transaction it was collected for has been completed, but chess.com auto-renews and automatically re-charges my credit card, so....

Someone would have to really compromise chess.com to get access to the behind-the-scenes data, but if the user password security practices aren't where they should be then should we be similarly concerned about the security practices as a whole? 

lol That's why I went on to explain it with my later question. What I was trying to say was you don't have any information on your account that would be hurtful to you if someone got into it. But if you were hacked, and the hacker messed up everything for you, then you might want to leave... lol I don't always make the most sense.

I see what you mean about the passwords being used on other places. But you can just have a different password for this site. I don't think one person walking away would make a difference. (I don't think one vote makes a difference...that's one of the reasons I hate politics.  lol)

In "my" experience, knowledge and access, no they aren't stored in their full entirety on the Chess.com database.

I'm not fully versed on this as I don't work in Billing, its not my area.

While I do work in a huge amount of areas covering the site I don't work in billing so my knowledge of that is limited.

Sorry I can't be of more help on this or give more information, but thats because I literally don't know.

Thank you Kohai!

So since nobody's credit card number is kept on their account, leaving chess.com doesn't make it any safer for them personally (unless they use the same password on other sites as eddins was concerned about). And even if chess.com keeps someone's credit card number when they buy premium membership, that would only be a reason to not buy it in the first place, but once you have already gotten it, leaving the site won't take it away from them. But you have to take that chance with every online store...

When your account gets hacked.. whats the worst that can happen to you? Someone resigns several games?

I think you are fine on this site.. there is really no need for hacking.

If such a big site like Yahoo uses the same method of keeping passwords as chess.com, and ran 17 years without having any major problems, I think chess.com will be safe.

All I can say is, I doubt anyone is motivated to hack chess.com accounts, as there is no reason to.

US credit card and banking standards mandate that if credit cards are stored they MUST be encrypted or the mechant can be fined for each violation.

Here is a reference: http://www.pcicomplianceguide.org/pcifaqs.php

Any site which can send you your password in an email is not doing it "right" in a sense. But it sure is convenient for users. I would argue that bank websites operate under a different set of expectations than LATimes.com, for example. I would put chess.com closer to LATimes than a bank.

CHESS.COM HAS ENCRYPTED FOR SECURITY REASONS ALL PERSONAL INFORMATION==YOUR PASSWORD IS SAFE FROM OUTSIDE INTRUSION

http://www.chess.com/legal.html#termsofservice

Confidentiality and Security

We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs. We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.