Logo by Timeroot - Contribute your own Logo!

END OF AN ERA, FRACTALFORUMS.COM IS CONTINUED ON FRACTALFORUMS.ORG

it was a great time but no longer maintainable by c.Kleinhuis contact him for any data retrieval,
thanks and see you perhaps in 10 years again

this forum will stay online for reference
News: Follow us on Twitter
 
Home Help Search Gallery Downloads Login Register
*
Welcome, Guest. Please login or register. April 27, 2024, 04:34:13 AM


Login with username, password and session length


The All New FractalForums is now in Public Beta Testing! Visit FractalForums.org and check it out!


Welcome to Fractal Forums > Community > Meet & Greet > Discuss Fractal Forums > Password emailed in plaintext - security issue
Pages: [1]   Go Down
« previous next »
  Print  
Share this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on RedditShare this topic on StumbleUponShare this topic on Twitter
Author Topic: Password emailed in plaintext - security issue  (Read 1113 times)
0 Members and 1 Guest are viewing this topic.
adele
Forums Newbie
*
Posts: 1
« on: September 20, 2014, 06:20:04 PM »
When I registered, I got an email from the forum which included the password I used in plaintext. This is a possible security issue.

Suggestions:
For a very simple fix, you could put a note on the registration screen to use a temporary password when registering, and to update it after being approved.

Even better, you could automatically generate a temporary password, and then when they are approved, they are required to change the password.

Or you could just remove the password from being sent in the email. 

Thank you!
adele
Logged
cKleinhuis
Administrator
Fractal Senior
*******
Posts: 7044


formerly known as 'Trifox'


WWW
« Reply #1 on: September 20, 2014, 06:58:50 PM »
you are right, i removed the password message from any emails - at least i hope
Logged
---

divide and conquer - iterate and rule - chaos is No random!
kram1032
Fractal Senior
******
Posts: 1863
« Reply #2 on: September 20, 2014, 07:01:21 PM »
In fact, the forum shouldn't even be able to send a password, ever.
What you should store is a hash which is generated by using a password and adding some random (constant) garbage behind that password.
If the password is correct, it'll encrypt to the same hash every time.
That way, even if there is a security breach, a hacker can't easily get the password.
Though it also means that the server doesn't even store a clear text version of the password, ever.

Look up hashing and salting smiley
« Last Edit: September 20, 2014, 09:41:40 PM by kram1032 » Logged
Pages: [1]   Go Down
« previous next »
  Print  
« previous next »
 
Jump to:  

Related Topics
Subject Started by Replies Views Last post
Process for password change Discuss Fractal Forums ixitol 4 2235 Last post April 02, 2010, 03:20:27 AM
by ixitol
Security Mechanisms Mandelbulb3D Gallery MarkJayBee 0 3866 Last post March 11, 2011, 11:56:19 PM
by MarkJayBee
Security Mechanisms II Mandelbulb3D Gallery MarkJayBee 0 957 Last post August 21, 2011, 02:16:52 PM
by MarkJayBee
Password protected parameters sharing!! feature request « 1 2 3 » Tahyon 41 6887 Last post April 13, 2015, 11:41:48 PM
by Sockratease
Password Protected Fetish Mandelbulb3D Gallery CO99A5 1 895 Last post March 06, 2014, 11:59:36 PM
by eiffie

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 0.298 seconds with 25 queries. (Pretty URLs adds 0.008s, 2q)