Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
password privacy
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
gregarei
n00b
n00b


Joined: 16 Jan 2008
Posts: 4

PostPosted: Wed Jan 16, 2008 9:54 am    Post subject: password privacy Reply with quote

I would greatly appreciate it if I was notified, or better notified if I didnt read so closely, that my password would be emailed back to me in PLAINTEXT after signing up. I am very shocked that this is even considered a reasonable practice by a software organization.
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 7918

PostPosted: Thu Jan 17, 2008 10:16 am    Post subject: Reply with quote

After receiving your password, you can access the forums via HTTPS and change your account password. Bear in mind that most users access the forums via HTTP, which indicates that this is not as significant a problem for users as you seem to consider it to be.
Back to top
View user's profile Send private message
gregarei
n00b
n00b


Joined: 16 Jan 2008
Posts: 4

PostPosted: Thu Jan 17, 2008 11:03 am    Post subject: Reply with quote

Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea.
Back to top
View user's profile Send private message
JeliJami
Veteran
Veteran


Joined: 17 Jan 2006
Posts: 1086
Location: Belgium

PostPosted: Thu Jan 17, 2008 1:27 pm    Post subject: Reply with quote

desultory wrote:
Bear in mind that most users access the forums via HTTP, which indicates that this is not as significant a problem for users as you seem to consider it to be.


Of course we visit the forums over HTTP:
- searches in Google return http:// links, not https://
- even if you choose to 'watch this topic' from an https session, email notifications still contain a link for http://, not https://
_________________
Unanswered Post Initiative | Search | FAQ
Former username: davjel
Back to top
View user's profile Send private message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2672
Location: here, there or in transit

PostPosted: Thu Jan 17, 2008 2:11 pm    Post subject: Reply with quote

gregarei wrote:
Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea.
Ask the authors of phpBB. Besides, it's not an appalling idea for low-risk accounts (and a forum ID certainly qualifies as such). It's simple, difficult to intercept in practice and the password is often short-lived anyway.

Also, it's worth remembering that f.g.o runs a pretty old (albeit customized, patched & maintained) release of phpBB. I'm not familiar with the package but this may well be the best it could provide, as of that version. An upgrade is a major effort that, as far as I know, has barely left the planning stages.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 7918

PostPosted: Fri Jan 18, 2008 9:40 am    Post subject: Reply with quote

gregarei wrote:
Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea.
Text via e-mail is a simple mechanism to distribute a temporary authentication token which is associated with the user via their e-mail account. To provide any significantly improved security would essentially require users to provide a public key when joining and to encrypt any password containing mail with that key, which itself introduces other problems.

JeliJami wrote:
Of course we visit the forums over HTTP:
- searches in Google return http:// links, not https://
- even if you choose to 'watch this topic' from an https session, email notifications still contain a link for http://, not https://
If you browse the forums using HTTPS, note that it is more resource intensive and less caching than HTTP, install Greasemonkey, then install the following script.
Code:
// ==UserScript==
// @include        http://forums.gentoo.org/*
// ==/UserScript==
window.location.href = window.location.href.replace(/^http:/, 'https:');
If you use a browser which is not compatible with Greasemonkey, try locating similar functionality for that browser.
Back to top
View user's profile Send private message
swathe
n00b
n00b


Joined: 04 Jul 2011
Posts: 61

PostPosted: Mon Jul 04, 2011 5:16 am    Post subject: Reply with quote

I was shocked to see it come in plain text too but I thought I would search before making a thread. Out of curiosity, have there ever been any security breaches with the forums themselves?
Back to top
View user's profile Send private message
1clue
Veteran
Veteran


Joined: 05 Feb 2006
Posts: 1355

PostPosted: Mon Jul 04, 2011 5:24 am    Post subject: Reply with quote

The only way I can think it would matter on a forum like this is if you use the same password for something important as you do for a public forum.
Back to top
View user's profile Send private message
swathe
n00b
n00b


Joined: 04 Jul 2011
Posts: 61

PostPosted: Mon Jul 04, 2011 6:45 am    Post subject: Reply with quote

1clue wrote:
The only way I can think it would matter on a forum like this is if you use the same password for something important as you do for a public forum.


Definitely not something I do but I still think sending passwords in plain text is a bit poor. Nevertheless the choice os risking it is on us so it's either accept it or leave lol.
Back to top
View user's profile Send private message
tomk
Administrator
Administrator


Joined: 23 Sep 2003
Posts: 7219
Location: Sat in front of my computer

PostPosted: Mon Jul 04, 2011 8:50 am    Post subject: Reply with quote

swathe wrote:
Out of curiosity, have there ever been any security breaches with the forums themselves?

Not that I'm aware of because we try to keep on top of potential threats and take according action. For what it's worth the passwords are not stored in plain text.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
swathe
n00b
n00b


Joined: 04 Jul 2011
Posts: 61

PostPosted: Mon Jul 04, 2011 10:07 am    Post subject: Reply with quote

tomk wrote:
swathe wrote:
Out of curiosity, have there ever been any security breaches with the forums themselves?

Not that I'm aware of because we try to keep on top of potential threats and take according action. For what it's worth the passwords are not stored in plain text.


Which answers my next question lol.

Thanks for the information tomk
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum