Sorry to make my first post here a complaint, but I am completely shocked that the forum administrators would commit such a blatant security infraction as the sending of unencrypted passwords back with the confirmation email. This is a BAD PRACTICE! Even more ironic is how your registration process talks about using "secure passwords", and adds the "may the force be with you!" message if you use a strong password.
But probably the most frightening thought is that if you are able to send an unencrypted password back to the user, it is likely that you are STORING the passwords in your database unencrypted as well. Again, BAD PRACTICE! Your MySQL database could be hacked in less than 30 seconds, and each and every email-password combination would soon be the property of identity thieves.
OK, I've gotten that off my chest. I will now participate in the discussions about your awesome keyboards.
Peace,
VB
5 posts
• Page 1 of 1
- Vinslom Bardy
- Posts: 5
- Joined: 24 Feb 2013, 22:15
- Country:
- Has thanked: 1 time
- Been thanked: 3 times
- Your Nord Gear #1: Nord Electro 4
Re: Passwords
Hi Vinslom,
I appreciate your comment. I agree it is not "best practice" to send them via mail. I changed it some time ago since there were many requests to send passwords via mail as many users seem to have forgotten there passwords, and having it for a record in the mail seemed the easiest way to avoid countless change requests etc. But I agree in general it would be better without, just a way of convenience (and used on around one third of the forums I visit) vs. security, and given this is "only" a forum and does not contain (most likely) sensitive issues so the convenience factor seemed to dominate. But it might be good to go back to the standard.
Nevertheless, the passwords ARE stored encrypted in the database, the only time they are processed unencrypted is precisely when sengind the confirmation mail.
Also, we always keep all elements of this forum's software up to the most recent updates and security standards (also best practice, but nevertheless not the case on many other forums), and security is top priority. As for the password, we can easily remove sending out passwords.
Best regards,
Johannes
I appreciate your comment. I agree it is not "best practice" to send them via mail. I changed it some time ago since there were many requests to send passwords via mail as many users seem to have forgotten there passwords, and having it for a record in the mail seemed the easiest way to avoid countless change requests etc. But I agree in general it would be better without, just a way of convenience (and used on around one third of the forums I visit) vs. security, and given this is "only" a forum and does not contain (most likely) sensitive issues so the convenience factor seemed to dominate. But it might be good to go back to the standard.
Nevertheless, the passwords ARE stored encrypted in the database, the only time they are processed unencrypted is precisely when sengind the confirmation mail.
Also, we always keep all elements of this forum's software up to the most recent updates and security standards (also best practice, but nevertheless not the case on many other forums), and security is top priority. As for the password, we can easily remove sending out passwords.
Best regards,
Johannes
Contact: info@norduserforum.com
-
Johannes - Administrator
- Posts: 2133
- Joined: 05 Mar 2009, 01:04
- Location: Milano
- Country:
- Has thanked: 743 times
- Been thanked: 838 times
- Your Nord Gear #1: Nord Stage 2
- Your Nord Gear #2: Other Brand
Re: Passwords
Vinslom Bardy wrote:Sorry to make my first post here a complaint, but I am completely shocked that the forum administrators would commit such a blatant security infraction as the sending of unencrypted passwords back with the confirmation email. This is a BAD PRACTICE! Even more ironic is how your registration process talks about using "secure passwords", and adds the "may the force be with you!" message if you use a strong password.
But probably the most frightening thought is that if you are able to send an unencrypted password back to the user, it is likely that you are STORING the passwords in your database unencrypted as well. Again, BAD PRACTICE! Your MySQL database could be hacked in less than 30 seconds, and each and every email-password combination would soon be the property of identity thieves.
OK, I've gotten that off my chest. I will now participate in the discussions about your awesome keyboards.
Peace,
VB
Thanks for making this security flaw public. Much more secure airing it out in public rather than send a private message to the moderator.
-
walkerdata - Patch Creator
- Posts: 123
- Joined: 04 Nov 2010, 20:10
- Location: Tennessee, USA
- Country:
- Has thanked: 5 times
- Been thanked: 78 times
- Your Nord Gear #1: Nord Stage 2
- Your Nord Gear #2: Nord Stage Classic
Re: Passwords
@walkerdata: Nah, my posting this doesn't change anything. Hackers already have each and every phpBB installation cataloged and documented. In IT security, it's better to draw light to the issues amongst the users, because the bad guys already know what is being pointed out. The more users we have that are educated on these issues, the better off the legitimate online community will be.
@johannes: Good to hear that your password field is encrypted. MySQL makes that step super easy. I guess I can understand your rationale for sending passwords, but perhaps you could just do this only upon request (not upon initial registration), and only after the user has been warned about the potential dangers of receiving an email with their username and password. Just a thought from one geek to another.
Peace,
VB
@johannes: Good to hear that your password field is encrypted. MySQL makes that step super easy. I guess I can understand your rationale for sending passwords, but perhaps you could just do this only upon request (not upon initial registration), and only after the user has been warned about the potential dangers of receiving an email with their username and password. Just a thought from one geek to another.
Peace,
VB
Last edited by Vinslom Bardy on 25 Feb 2013, 01:05, edited 3 times in total.
- Vinslom Bardy
- Posts: 5
- Joined: 24 Feb 2013, 22:15
- Country:
- Has thanked: 1 time
- Been thanked: 3 times
- Your Nord Gear #1: Nord Electro 4
Re: Passwords
Hi VB,
thanks for the rephrasing, makes my reply much easier
So I just changed it and now no more password will be send. I agree that IT security is very important, and this forum is no exception.
Anyway, and since this topic has a meaningful title for this topic: If you ever forget your password, you can reset it using the email address you registered with here: ucp.php?mode=sendpassword
The new password will only be activated once you receive the email and activate it. If you don't know the email address you used, PM me!
Cheers, Johannes
thanks for the rephrasing, makes my reply much easier
So I just changed it and now no more password will be send. I agree that IT security is very important, and this forum is no exception.
Anyway, and since this topic has a meaningful title for this topic: If you ever forget your password, you can reset it using the email address you registered with here: ucp.php?mode=sendpassword
The new password will only be activated once you receive the email and activate it. If you don't know the email address you used, PM me!
Cheers, Johannes
Contact: info@norduserforum.com
-
Johannes - Administrator
- Posts: 2133
- Joined: 05 Mar 2009, 01:04
- Location: Milano
- Country:
- Has thanked: 743 times
- Been thanked: 838 times
- Your Nord Gear #1: Nord Stage 2
- Your Nord Gear #2: Other Brand
5 posts
• Page 1 of 1
Return to Off Topic / About this Forum
Who is online
Users browsing this forum: No registered users and 7 guests