Not sure where to put this, but...
TL; DR: The NESmaker activation system, https://www.softworkz.com/mylicense, has EXTREMELY BAD SECURITY and if you use the same password there as on ANY other site or system, you need to change it. NOW.
And I don't mean change it at Softworks. No, you need to change it EVERYWHERE YOU'VE USED IT.
This is an issue I discovered almost immediately when I received my NESmaker license as a backer. I habitually try out the "resend my password" feature of new systems that require registration.
If the system sends me a NEW password, it's an indication that my password MIGHT be securely stored - hashed and hopefully salted.
Or the devs are just clever enough to obfuscate their poor security.
HOWEVER - if the system sends me my ACTUAL PASSWORD IN PLAINTEXT in an E-mail... that's bad. Oh man, that's bad.
Because that means whoever designed the system has given next to no thought to security. It means my password is stored in plaintext - and anyone who manages to hack into the server or gains access to the database in any other way... also has my password. In plaintext.
Guess what? The Softworkz site sends you your password in plaintext. Over E-mail, no less. Not a new password - I've checked multiple times. The same password.
This... this is BAD.
It gets worse. Since the site has a policy of not allowing you to reuse passwords... that means they also save ALL your OLD passwords as well. And I assume they do so in plaintext.
So... Every password you've ever used on the Softworkz license site must now be considered insecure. If you've used them anywhere else, go change them. Everywhere.
Why haven't I said anything before, if I discovered this back when I first got my license? Well, I wanted to give the Nesmaker people the chance to fix it.
So I contacted them; first using the form on their site on August 10, then again via the Facebook page on August 23.
No response. And now it's been the customary 60 days... So here it is.
I really, really want to be wrong about this, so feel free to correct me.
(Now that I think about it... This site doesn't even use HTTPS, does it? Man oh man...)
TL; DR: The NESmaker activation system, https://www.softworkz.com/mylicense, has EXTREMELY BAD SECURITY and if you use the same password there as on ANY other site or system, you need to change it. NOW.
And I don't mean change it at Softworks. No, you need to change it EVERYWHERE YOU'VE USED IT.
This is an issue I discovered almost immediately when I received my NESmaker license as a backer. I habitually try out the "resend my password" feature of new systems that require registration.
If the system sends me a NEW password, it's an indication that my password MIGHT be securely stored - hashed and hopefully salted.
Or the devs are just clever enough to obfuscate their poor security.
HOWEVER - if the system sends me my ACTUAL PASSWORD IN PLAINTEXT in an E-mail... that's bad. Oh man, that's bad.
Because that means whoever designed the system has given next to no thought to security. It means my password is stored in plaintext - and anyone who manages to hack into the server or gains access to the database in any other way... also has my password. In plaintext.
Guess what? The Softworkz site sends you your password in plaintext. Over E-mail, no less. Not a new password - I've checked multiple times. The same password.
This... this is BAD.
It gets worse. Since the site has a policy of not allowing you to reuse passwords... that means they also save ALL your OLD passwords as well. And I assume they do so in plaintext.
So... Every password you've ever used on the Softworkz license site must now be considered insecure. If you've used them anywhere else, go change them. Everywhere.
Why haven't I said anything before, if I discovered this back when I first got my license? Well, I wanted to give the Nesmaker people the chance to fix it.
So I contacted them; first using the form on their site on August 10, then again via the Facebook page on August 23.
No response. And now it's been the customary 60 days... So here it is.
I really, really want to be wrong about this, so feel free to correct me.
(Now that I think about it... This site doesn't even use HTTPS, does it? Man oh man...)