How about you don't send my password in a plain text email?

Posted by: DavidCa

How about you don't send my password in a plain text email? - 02/20/13 05:09 PM

When I registered here, I immediately got an email saying welcome to the forum, your username is <blah> and your password is <blah>.

This is bad because anyone can see those emails. It compromises security of this site majorly. It also compromises the security of other sites if that user has used the same password elsewhere.

Please change this.
Posted by: lolatu

Re: How about you don't send my password in a plain text email? - 12/02/13 12:55 AM

Agree - I was pretty shocked to receive this in plain text too. I've never seen any other site send a password like this, with the exception of randomly generated single-use passwords that must be changed immediately.

Now anyone who can read my gmail (Google, NSA, GCHQ etc) can also see my username and password for this site, which in itself doesn't matter that much, but what if I used something similar for my bank account or who-knows-where else?

It may also be an indication of deeper security problems you have here, since it suggests you're actually storing passwords on your server. You should NEVER store passwords - this is a schoolboy error - only a salted hash. Please tell me this isn't so... if it is, you have a huge security liability on your hands, and getting hacked or otherwise compromised would be disastrous for you and your users.
Posted by: UKIkarus

Re: How about you don't send my password in a plain text email? - 12/05/13 09:06 AM

I'm pretty sure they would be storing salted hashes and the password being sent to the email is simply a copy of the value from the moment the form is submitted for registration as opposed to what is stored in the database.

They are however running a rather outdated version of the forum package which should ideally be updated, that said however I am fully aware of how difficult that can prove to be given that most end up changing the structure of templates/plugins so many of the originals no longer work/display correctly on the newer versions without some editing (in some cases A LOT of editing)

Perhaps this is why they have decided to stick with what they have for now?
Posted by: UKIkarus

Re: How about you don't send my password in a plain text email? - 12/06/13 12:06 PM

Scratch that, the version is 7.5.7 which is fairly recent ...