This might be a silly question but I couldn’t find this information through searching google.
I’m wondering if the lemmy platform for all instances encrypts passwords automatically, or if admin are able to view user passwords.
It’s not so silly once you consider that even big corporations often store passwords in plaintext which comes out during a hack.
Thanks for answering.
You must log in or register to comment.
Checking myself because you got me curious: https://github.com/LemmyNet/lemmy/blob/main/crates/api/src/local_user/login.rs
But passwords are hashed. Specifically using bcrypt: https://en.m.wikipedia.org/wiki/Bcrypt
This is why open source is good!
None of your other accounts will be compromised because you’re using a random password stored in a password manager.
You are using a password manager?
big corporations
Big corporations and commercial software are so much different from open source projects that apples and oranges is a massive understatement, more like apples and asteroids.
Commercial projects have more constraints for a plethora of reasons. Open source, not so much. Some examples from a vendor perspective: Large customers and their environments limit (e.g. your biggest customer uses old crappy thing x that limits developers), license restrictions (e.g. using GPL code risks having to release the code and rights to distribute the software you are trying to sell), over promising marketing or sales that creates deadlines that limit quality control, incompetent co-workers, ability of your support staff and SLA requirements, etc. In house development has some of those issues, except they have to deal with crappy thing x that vendor won’t or can’t update, super important stuff using really old systems that are really hard to replace, like the software controlling a 10 million dollar 20 year old centrifuge used to separate a chemical critical to an industrial process.
Open source doesn’t have these constraints, users can just fork the code and keep using the old stuff if their COBOL based financial transaction processing system needs it and update it themselves.
The millions of eyeballs on open source code is exaggerated. Most users of OSS, even those with the skills, don’t look at the code of a lot of things they use. Their realistically isn’t time. BUT…password storage, authentication, and session code is almost guaranteed to get scrutiny.
Last commercial software can do bad things like plain text passwords because they want to cut corners for the bottom line.
Open source software can still completely suck and make poor decisions as well because anyone can publish some OSS whether or not it is actually good.
There is no way the passwords aren’t hashed, otherwise I’m sure some responsible dev on the project would be making some noise.
Isn’t there some famous cautionary tale about everyone assuming someone else checked? Regardless, someone else in this thread checked, and passwords are hashed.
Password hashing is great, but if in attacker breaks lemmy or an instance server somehow and can modify lemmy or tinker with the front ending server config they can just steal credentials as they come in, so hashing is good, but IMO gets given more importantance than it should. I’ll take my down votes now for downplaying password hashing.
i mean, if you’re not hashing passwords, there is clearly a major problem there.
if in attacker breaks lemmy
what does this even mean?
are you worried about mitm attacks? that’s a basic feature of HTTPS, and basically the reason it exists
