Password security on chess.com?

That's certainly not true!

There are many ways for hackers to read any unencrypted data. Sending passwords unencrypted as an url parameter even is extremely insecure, it's almost a guarantee that passwords will be "stolen" (actually you can not even call it hacking or stealing in this case, the data is more or less public) sooner or later that way.

Many people have strong passwords for some sites, and weak passwords for others. My advice is if a website which processes money can email you your password, don't use them. This includes amazon, PayPal, all banks, credit cards, and any other merchant website you save account information on. For other websites, make sure you do not reuse any of your strong passwords. This includes chess.com.

We don't store passwords in plain - its encrypted with hash and salt.

Awhile back, the now CEO of reddit wrote a note on Facebook about password security. It's a good read. One of the litmus tests of a website which does not code passwords securely is if they can email you the password. Note that so-called temporary passwords are exempt from this test.

Sounds delicious.

Well indeed! The forgot password flow does not offer to email the password, it offers to email a link to change the password. So I, and whoever posted above about emailed passwords, was wrong. Bravo chess.com!

kohai,

But you seem to transmit plain-text passwords across insecure networks in at least two ways, by email and by embedding them in URLs. This fails the password security "litmus test" mentioned by ozzie_c_cobblepot in his comment.

ozzie_c_cobblepot,

When I signed up for my chess.com account in May 2011, they sent my username and password (a password that I chose, not an automatically generated one) back to me as a plain-text email. I complained about it here:

http://blog.chess.com/eddins/chesscom-sends-password-in-plain-text-e-mail-boo-hiss

Do you mean at registration only? Or at a later moment? If the latter the passwords are not stored hashed and salted.

If stored properly encrypted (edit: meant hashed) even chess.com can not simply read the passwords from the database.

Yeah the URL thing is awful. Also, perhaps they modified e sign up flow since you registered.

Also worth mentioning is that the account pages, which contain personal data, are not sent encrypted. This is illegal by Dutch (and/or European) law!

You forgot about the shark filled moat

Ha ha ha !! Ibeatyoucheckmater is the funniest guy I know ! And he makes great videos.

can the email address also related to username

Not sure if I understand the question, but all account data that is sent is sent unencrypted. That includes the email address and username.

It seems to me that if sensitive information is being transmitted in the clear, that's a problem. Can anyone say how this should be properly handled? I guess public key encryption isn't feasible. Do you just send the info over a https web page, or is there a better way?

And in the case of a forgotten password, how is that handled? (If the site is only holding one-way hashes of passwords, then I guess the site can't supply lost passwords?)

Does anyone have some reading links?

No links at hand, but it's not so complicated.

Account  information should be sent using https,  quite simple and effective.

Passwords should indeed be hashed. In the the case of a forgotten password the site should simply sent a temporary new one (which the user changes at first login).

(Google it if you don't believe me ;))

Hashed and also salted.