Aw hell, I was hacked! My original account gundamfighterichigo was hacked. I can't use it, it even says it has no email. So this account is now me.

Are you sure you didn't just use a different password than normal and forget about it?

No because my pass has remained the same for the past 2 1/2 years.

If it is hacking, most likely cause is giving password away (even if it was for another site; if you use the same password for everything, you compromise it all)

Malware could be, but I'm not sure who would want a Gelbooru...or any booru account unless it was for trolling purposes. (Even mods and admins would not be worth hacking for anything other than lulz tbh) Keep in mind the former point, you could be being targeted for a completely different account elsewhere. (tin foil hat mode)

Password leaking on Gelbooru's part is possible, and that would mean just about everyone's passwords would now be public knowledge. This doesn't seem likely either but would be worth looking into if you seriously think it is the case.

It could also be a glitch I suppose?

I actually have a router that tells me my password is incorrect even after factory resetting the thing. The problem is my computer, not the router, as the password would work on any other device. Just an example. It is very strange.

Do we even store passwords? I thought we just used a nonce handshake or something. If that's the case then even the site owner couldn't know what your password was. Jerl might know.

It isn't even remotely possible that your password itself would be leaked by Gelbooru. Actually, the fact that raw plaintext passwords are leaked from anywhere is honestly stupefying, since even a first-year CS student would know better than that and would know how to prevent it.

We store passwords as sha-1 hash of the md5 hash of your text password. Even lozer has no way of knowing what your actual password is.

Now, the sha-1 hash of the md5 hash of your password could, in theory, be leaked by either the site if we got hacked (which is also somewhat unlikely due to the way our servers are routed) or by you (since that hash is stored as a cookie in your browser to authenticate your login whenever you request a page). However, it'd only be useful on sites that share our exact same hashing scheme; that means they'd have to also do sha1(md5(password)) (most places just do one or the other) and they'd need to use the exact same salt as we do.

Actually happens frequently... and not just to little sites either.

The biggest sites on the planet have had this done.

The fact that people think it doesn't might be part of the problem. That or huge ass corporations are lazy due to the fact that actual security takes from their bottom line in ways that a private site may not give a shit about. Like how porn sites are typically more secure than church websites...

The PSN debacle alone should be proof enough that a lot of online services don't take security that seriously.

Yes, I know that it happens quite frequently.

However, it literally takes about 15 minutes for a really slow programmer to add in the code required to hash passwords instead of storing them as plaintext. Hashing passwords alone isn't enough to implement good security, but it has an absolutely negligible effect on the bottom line, and completely removes any chance of plaintext passwords leaking.

So is my old account screwed?