Logging on a different session, I had forgotten my account password. So I used the password recovery function of lush. It indicated: "An email containing your password has been sent". I got worried at that point I think.
Anyway, email arrived immediately to state:
Hi LeCygneNoir,
You have requested your password for Lush Stories.
Your password is PLAINTEXTPASSWORD
Cheers,
Lush Stories Admin
https://www.lushstories.com/
So, for the non-geek here. THIS IS DANGEROUS! The fact that lush is able to send you the password you set back means that the password are stored somewhere in lush's databases. I can't know the details, but even if they're encrypted, it's subpar security. On any decent website handling personal information, passwords are never (MUST NEVER!) be accessible. Instead, they use hashes to encrypt passwords as they're entered. That's why Google doesn't send you your password back but ask instead to create a new one, because they don't know it.
A little video to sum this up perfectly:
Why is this important? Lush is obviously a website more sensible than most. And although we're all using pseudos, I'm assuming a LOT of very private informations and media transit around everyday. Everyone who may not want some of the stuff they put in here, out there, is concerned.
I just feels wrong to have subpar security around. So, admins...This is important. If you can get around to implementing additional layers of security, like hashes, that would be much appreciated.
Thanks in advance,
LCN