lichess.org
Donate

Password Security

Tournament administrators can change tournament settings and invite teams to them.
@dgwlfkskjkjkjkj That's wrong, as Thibault literally just explained. Lichess does not know your password and it's not stored on the Lichess server and the same is true for any respectable website. Doing that would be a pretty bad security risk in case of data leaks and probably not GDPR compliant. Instead, Lichess only stores a jumbled up (i.e. "hashed") version of your password. When you try to log in, Lichess jumbles up the password you entered in the same way and if the result is what is stored in the database, it knows you entered the right password. But it's pretty much impossible to get back the original password from the jumbled-up version so Lichess does in fact not know your password and none of the mods, not even sysadmins or Thibault, can find it out.
<Comment deleted by user>
I am reading a lot of arguments about why hashing the passwords is less practical than not hashing them. Okay, some of the reasons are reasonable even if I don't necessarily agree with them.
I however still see zero reasons why the admins of the site, who are around 50-60, should have any business being able to see the passwords in plain text (or in any way) just when looking at a team, or doing anything regarding the team altogether.
Make it that the team leaders can see the password if they choose so, but nobody else other than the team leaders. Not the admins, not the mods, not the team members. Nobody.
Team passwords are still passwords and I should be within all my rights to choose which people on this planet can know about it, without 60 other people I didn't account for also knowing the password.
Disclaimer: I might be missing some subtle point here...

I think nobody should be able to see someone else's password. Admins and/or team leaders should be able to reset (or ask team members to reset) them, and that should be it.

EDIT: just realized that team passwords have to be shared online to allow new members to join the team. Still, I don't see why site admins should see them...

EDIT2: there should be better ways to allow team leaders to see their teams' password other than storing it in plain text...
@benwerner is correct. Lichess doesn't have your original password it only has the hashed(#) version. Other wise, that would be a very insecure security system.

This topic has been archived and can no longer be replied to.