Security Concern about Chess.com

I just wanted to bring something to the attention of the admins of the site (not sure if this is the proper place to post it, but I couldn't find a "contact us" link anywhere).

I just used the reset password option, and I was surprised that the site sent my password to me in an email.  This is potentially a major security concern for a couple of reasons.

First, email is handed off from server to server multiple times before it reaches the end user, and it's highly possible that someone could intercept it in the middle.  Many people (not me) use the same password for everything, and if the wrong person got ahold of it, it could compromise any number of online accounts.

Second, it's not the best practice for the site to store the password itself in its database.  That makes it possible for anyone with administrator access to chess.com's servers (or someone who manages to hack in) to be able to read everyone's password, and as I mentioned above, that password may be the same as on some other accounts.

Instead, the site could store a hash of the password and not the password itself, then if the database becomes compromised (it could happen--just ask Sony) the hacker would have the hashes of the passwords but no easy way to retrieve the passwords themselves.

I would also suggest that the reset password link not email the password itself but instead send a link that will allow the user to create a new password (or possibly send a default password that requires the user to change it immediately after logging in).

I like the site, and I'm not trying to put it down in any way.  I just feel that if a few changes were made, it would make everyone's information much more secure.

[COMMENT DELETED]

ok

[COMMENT DELETED]

Just because they email you your password, it does not follow that they are storing your password. They may generate the email at the point when you set or reset your password.

Well, if they e-mail me my current password, they're clearly storing it in some form that can be converted back to plain text (likely in plain text itself).  Best practice is to store an encrypted or hashed password, and to send an automatically reset password to the e-mail on file.

That said, if chess.com's database gets compromised, the integrity of my account's password is the least of my concerns (or chess.com's).  Further, if my password is stolen from chess.com's database and that results in other more important personal information ending up at risk because I use that password for everything, that's my bad practice and my fault, not chess.com's.

I'd be much more concerned that as a paying member my credit card info's stored in chess.com's database (evidence of this is that chess.com employs negative option billing to re-bill my card anually).

If your chess.com password is the same as your online banking password, you'd better change one or both.

Incidentally, one other place I've noticed where security best practice isn't followed is when I enter a wrong user ID or password the system tells me which of the two is wrong.

I totally agree with this post. They are storing the password in plain text and Its a severe security hole. I have nothing else to add to the technical explanation chadivision gives. I'd just love to see this changed in chess.com for everyone's (including me) ease of mind. I'm a programmer myself, and I can help if you want :)

Site is great by the way!

Bests,

J

Chadivision is right, unfortunately sites dont often want to upgrade their security until they get hacked (just ask sony he he).

Everybody should really use seperate passwords for different sites but that gets complicated. Lets just hope all our credit card info is secure......

... 

And then atleast you can pride yourself on having better security than stratfor lol.

After I signed up to chess.com I got notifications from my e-mail provider that my account was attempted to access from different locations.

Somebody just private messaged me here on chess.com my email and password and said it got leaked to the net. Don't know how this happened, but I am definitely very concerned. I already changed my password.

As you changed password, maybe worth letting support know also 

https://support.chess.com/article/346-contact-us

Thanks