Securely hashed and salted possibly they are using bcrypt. Well they don’t have the passwords in plain text they still could be bruteforced against and compared with the hash if the password is simple. Or if bcrypt someday becomes weak due to vulnerabilities.
The other reason is likely they have your session token. This can be used to login as you or maybe even have the connection reversed and connect to your server if plex uses some API. This is why they want you to change password and logout. I’m not a security researcher so I can’t give definitive just logical reasoning.
Not that anyone should be using passwords given the way Plex pushed 2FA.
Usernames, meh.
If you are concerned, use email aliases. I have a dozen with the name of the site as part of the username. When distributed and I get spam, I know where it comes from
Unfortunately, the user is typically stupid, and the ones that know better are typically lazy. This is a self-hosting platform, not an enterprise hosting platform
I’m not concerned, just putting in my .02c in the hopes that someone scrolling through understands that there are risks beyond someone getting into their Plex account.
True but given the complexities of managing a Plex server these days, good password management should be a given.
However, as 2FA is available, why …..
Edit - I keep a help document regularly updated with common issues and solutions that my wife can fall back on when I kark it. Plex is no longer the simple beast it was a decade ago. I feel like I’m back in XBMC again (kodi). The great thing is, she has full access to my password manager (incl authenticator) and she is incredibly good at using it.
This is why @oi3888 request doesn’t make sense unless it’s a additional option. But still plex needs the authentication server so they can go you need plex pass for this feature. So it won’t be likely removed.
However once your access this it will redirect you to plex’s authentication server then pass you back to the server.
This also has the benifit on indirectly stopping some ddos attacks on your server port because of the redirection. It won’t stop all botsnets but some because plex is taking the brunt not you.
For direct access you probably can with a reverse proxy. But on plex’s side via plex.tv login currently no.
I’m totally for having advanced options for sysadmins that can handle it themselves. I just feel they are serving the lowest common denominators. KISS method for the normies.
There is another way to handle this, and it’s to use a 3rd party for auth. There are countless Okta’s out there, and i’d imagine “social log in” can be had for free.
Good grief, thank you. If I’d known I could just do it locally I would have done that. Now that you’ve told me, I went in and changed it, and indeed it seems to have changed the login at the website also, so with any luck all is well. I’m done for the day so I guess I’ll find out tomorrow whether or not things are still working.
You have told me something else I didn’t know, which is that Plex supports two-factor authorization. I’ll probably set that up at some point.
I received word of this from a friend yesterday at 4:30pm. I assumed my information wasn’t included because I never received an e-mail. Now I received an e-mail from Plex at 10:00am today, 18 and a half hours after he informed me that he got an e-mail. Why did it take longer for me to be informed that my information was at risk? Was it at risk since the first batch of e-mails were sent out? Why couldn’t you tell me sooner? Are there other people in other e-mail batches that have compromised account information and still haven’t been informed?
Only reason I know is because of the plex discord only email I received was the stupid adverts from plex. @dane22 are the emails slowly rolling out for the security announcement ? I’ll double check my settings if the issue was how I have email notifications setup.
Edit: Email notifications are fine. Should have received it. Not in junk.
Edit2: I set the announcement category to watch so I should at least get a email from the forums now. But not the normal dedicated email informing me of this.
Edit3: Just got the email.. better late then never.
