Title: Password emailed in plaintext - security issue Post by: adele on September 20, 2014, 06:20:04 PM When I registered, I got an email from the forum which included the password I used in plaintext. This is a possible security issue.
Suggestions: For a very simple fix, you could put a note on the registration screen to use a temporary password when registering, and to update it after being approved. Even better, you could automatically generate a temporary password, and then when they are approved, they are required to change the password. Or you could just remove the password from being sent in the email. Thank you! adele Title: Re: Password emailed in plaintext - security issue Post by: cKleinhuis on September 20, 2014, 06:58:50 PM you are right, i removed the password message from any emails - at least i hope
Title: Re: Password emailed in plaintext - security issue Post by: kram1032 on September 20, 2014, 07:01:21 PM In fact, the forum shouldn't even be able to send a password, ever. What you should store is a hash which is generated by using a password and adding some random (constant) garbage behind that password. If the password is correct, it'll encrypt to the same hash every time. That way, even if there is a security breach, a hacker can't easily get the password. Though it also means that the server doesn't even store a clear text version of the password, ever. Look up hashing and salting :) |