Topcattopone said: Toniight I went to sign on as usual, but got the response, "That e-mail and password combination not recognised" I had to go through the "forgotten password" link, even though I hadn't forgotten it to get in.

Am I being paranoid here or does something stink of fish?

DungeonMasterOne said: MM beefed up the password checking a while back, turned out the previous version only checked the first so many characters, and ignored the rest.

So if someone's password was set to bananaWAM27, but they'd misremembered it as bananaWAM43, it would still have worked because only "bananaWA" was actually being checked. The improved version checked the entire string so all of a sudden passwords that used to work stopped working.

The solution is a password reset, or if that's not possible due to lost email account, message MM (create a new a/c if necessary) and he'll be able to sort it for you.

GungeDrop said:
Sorry, what? You mean to tell me you were storing unsalted passwords and doing a plaintext comparison? Please tell me this isn't the case any more

DungeonMasterOne said:
That's a simplification based in what MM posted back at the time. I think the issue was the old system had only hashed the first so many characters (and discarded the rest), and the check was likewise checking the hashed version against just the first X many characters.

The passwords were stored encrypted, but what was stored in the example above was just the encrypted hash of bananaWA rather then the full bananaWAM27.

When the user entered their incorrectly remembered bananaWAM43, only bananaWA was actually checked against the encrypted version - so it matched.

I gather the new version encrypts and checks the entire password, both for what's stored and what's checked against it.

GungeDrop said: But if that were the case, then *everyone* would have needed to reset their passwords- UMD would only have the old hash of truncated passwords, right? Or was the limit long enough that most passwords were below it?