next »

[cliffclavin]

As you can see I am a new member on TIG and was very very surprised and a little upset to see that upon signing up I was emailed my password in plaintext! Passwords really should be hashed and stored securely.  Typically sites are shamed out of this behavior by sites like http://plaintextoffenders.com/about/ and I would really not like to see a breach or even a shaming of TIG.  This is somewhat serious, and I hope it is taken that way.

[Udderdude]

Your message might get a better response here .. http://forums.tigsource.com/index.php?board=53.0

[moi]

send me your password, I'll encrypt it a run a security test on it

[Christian Knudsen]

http://forums.tigsource.com/index.php?topic=37198.0

[CutterSlade]

You can't say anything about how the passwords are stored by looking at the contents of the email you received. What did you expect to see, the md5 hashed version of it? Hashed versions are used only during comparison with the one in the db on the server side.

Still, including the password in that email isn't very wise and doesn't make any sense.

[Chromanoid]

Yeah, I hate this practice in forum software. PHPBB did this too at some point in time... Normally an admin can change the template for the email sent after registration.

Since emails are like postcards it would probably be a good idea. Another thing is that if somebody misspells her email address the password might be send to the wrong person. I use a new password for every site (via password manager) so it doesn't bother me that much anymore.

The default setting that the email address is public should be changed too.

[Kingel]

You can't say anything about how the passwords are stored by looking at the contents of the email you received. What did you expect to see, the md5 hashed version of it? Hashed versions are used only during comparison with the one in the db on the server side.

You're partly right. The comparison you're talking about is being done with your password and a hash value, a one-way mapping of that password. The only way to get the password back is to brute-force the hash stored on the server (which is why hackers use rainbow tables when they steal database contents, which again is why you need salted hashes). That is, unless the server simply stores your password in plaintext, in which case it can email the password back to you when requested. This is why you would normally get a password reset email instead.

[Chromanoid]

You can't say anything about how the passwords are stored by looking at the contents of the email you received. [...]

[...] That is, unless the server simply stores your password in plaintext, in which case it can email the password back to you when requested. This is why you would normally get a password reset email instead.

In case of SMF and (a former version? of) phpBB the password is sent once before storing the hashed password.

[cliffclavin]

True the password can still be stored as a hash.  It is still a pretty unsettling that my password at any point is being transferred in plaintext. Man in the middle attacks are common ect.  Also it being sent out by a single automated gmail means there is an outbox that is a gold mine of dev passwords, thats seriously crazy.

[CutterSlade]

True the password can still be stored as a hash.  It is still a pretty unsettling that my password at any point is being transferred in plaintext. Man in the middle attacks are common ect.  Also it being sent out by a single automated gmail means there is an outbox that is a gold mine of dev passwords, thats seriously crazy.

Unless they use SSL, which would be pointless in a forum such as this, the password has to be transferred in plain text at least once when you sign up. But currently they're doing this twice.

[CutterSlade]

That is, unless the server simply stores your password in plaintext, in which case it can email the password back to you when requested. This is why you would normally get a password reset email instead.

This forum isn't doing that, it only sends you your password right after you signed up, because it already has it in plain text at that time. There is no way to retrieve your password as plain text again because it is stored as a hashed value.

I don't know how you managed to reach the conclusion that just because it sent you your password once, it stores the passwords in plain text and can send it to you again. Have you seen a button that sends you your current password in an email? I don't think so.

[Christian Knudsen]

Also it being sent out by a single automated gmail means there is an outbox that is a gold mine of dev passwords, thats seriously crazy.

Just because a gmail address is set as the sender of an email generated automatically by the forum software doesn't mean that a copy ends up in that gmail account's outbox.