When the server stores passwords, they are not hashed (or salted), but just stored in plaintext. Thus, anyone with access to accounts.csv (operators of the server, or someone who stole the information) can gain access to any users account.
Instead, the passwords should have a randomized salt (public, but unique per user) concatenated to it, and the password+salt should be sent through a one-way hash function. The output of this hash function should be stored, rather than the plaintext password.
symxmyz233
commented
2 years ago
When the server stores passwords, they are not hashed (or salted), but just stored in plaintext. Thus, anyone with access to accounts.csv (operators of the server, or someone who stole the information) can gain access to any users account.
Instead, the passwords should have a randomized salt (public, but unique per user) concatenated to it, and the password+salt should be sent through a one-way hash function. The output of this hash function should be stored, rather than the plaintext password.