Well according to this link on the old forum maker’s website passwords are stored hashed.
What is a hash?
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value.
Here are 2 similar passwords and their hashes. Notice how different they are just by changing 1 character. (Capital P)
password1 - 7c6a180b36896a0a8c02787eeafb0e4c
Password1 - 2ac9cb7dc02b3c0083eb70898e549b63
This makes guessing a hashed password almost impossible.
But I did a little research and found that the password is sent to the server before it is hashed rather than being hashed at the browser.
What does this mean? It goes as follows…
You register and when you sign up your password is hashed and stored in a database.
Wen you sign in your browser sends your user name ‘user1’ and password ‘password1’ to the server.
The server hashes your password into a hash that looks like this: 7c6a180b36896a0a8c02787eeafb0e4c
It looks you up in the database by user name and compares the hash to what is stored from when you registered
If those 2 hashes match then it knows you typed your password right. If not it kicks you out.
So essentially they could be saving your password both hashed or in plain text. You really don’t know.
Also the web site is not a secured site. (https) Therefore your user name and password are sent across the internet in plain text. This means any computer or router that it goes through can easily read it. This includes your ISP, the ISP hosting the web site, all the servers the traffic passes through in between and if you are at work your IT department.
The bottom line is you have to trust a lot of people so when you use ANY web site you should never use the same user name / password / email address combination.
I have 3 different user names, 4 different emails and about 8 different passwords I use depending on what I’m logging in to just for these reasons.
Think about this… what email address did you use when you signed up here? If you said Yahoo, Gmail or Hotmail think about this next question carefully. What password did you use? Is it the same one you use to get your email? If so the site admins might be able to get into your email. (I stress MIGHT. I am not accusing anyone of anything, just asking people to think about it for a second.)
I’ve worked with SMF forums before and I know they encrypt passwords to a hash before storing so I feel safe here but you can never be 100%.
The think I’d be more worried about is this: Have you ever filled out one of those “What Simpsons character are you?” things and had to give an email and password? Is the password you gave the same you use for that email? Do you know who runs that site? Do you trust them? I sure as hell wouldn’t.
For the tl;dr crowd… I’m sure the Arduino staff did/does everything right, but just please be careful out there.