Hello, c/Games mod here.

This post has been reviewed as valid by the mod team

For everyone infosec culture, hashing and salting password consist in using one-way mathematical functions to encrypt passwords. It is a very commonly used security practice to make it more difficult for an attacker that was able to steal a database to obtain the password. As the website is unable to decrypt said password (thank to the one way mathematical function), the only way to send you back your password in this manner is to have it unhashed and unsalted in his database.

But

In the current case, this is a registration email, which may have been sent before the initial hashing and salting. In this case we cannot say for sure if Larion Studios indeed have unhashed and unsalted password in his database.

That doesn't really mean that they store it in plain text. They sent it to you after you finished creating your account, and it's likely that the password was just in plain text during the registration. The question still remains whether they store their outgoing emails (in which case yes, your password would still be stored in plain text on their end, not in the database though).

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

That's very unlikely. It's running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it's providing you with a default at sign-up, that's different and is what appears to be a configurable setting.

If it is completely generated for you, here's what probably happening:

1. User creation module runs a password generator and stores this and the username in memory as string variables.
2. User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
3. Either the storage module or another middleware module hashes the password while preparing to store.
4. Storage module reports success to user creation.
5. User creation module prints the vars to the welcome template and unloads them from memory.

TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.

no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.

You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.

Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.

Sending your password right after you created it might not be best practice, but it doesn't mean it's stored unhashed in the database. It looks like they're using a third party forum software, so it should be pretty straightforward to figure out whether they do or not.

Looks like they address it here: https://forums.larian.com/ubbthreads.php?ubb=showflat&Number=669268#Post669268

Set your password to an EICAR test string and see what else you can brick on their site.

While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn't mean they store your password in their database as plaintext.

It's 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.

For those who haven't made accounts yet, you don't actually have to make an account to play Larian Studios games.