View previous topic :: View next topic |
Author |
Message |
gregarei n00b
Joined: 16 Jan 2008 Posts: 4
|
Posted: Wed Jan 16, 2008 9:54 am Post subject: password privacy |
|
|
I would greatly appreciate it if I was notified, or better notified if I didnt read so closely, that my password would be emailed back to me in PLAINTEXT after signing up. I am very shocked that this is even considered a reasonable practice by a software organization. |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Thu Jan 17, 2008 10:16 am Post subject: |
|
|
After receiving your password, you can access the forums via HTTPS and change your account password. Bear in mind that most users access the forums via HTTP, which indicates that this is not as significant a problem for users as you seem to consider it to be. |
|
Back to top |
|
|
gregarei n00b
Joined: 16 Jan 2008 Posts: 4
|
Posted: Thu Jan 17, 2008 11:03 am Post subject: |
|
|
Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea. |
|
Back to top |
|
|
JeliJami Veteran
Joined: 17 Jan 2006 Posts: 1086 Location: Belgium
|
Posted: Thu Jan 17, 2008 1:27 pm Post subject: |
|
|
desultory wrote: | Bear in mind that most users access the forums via HTTP, which indicates that this is not as significant a problem for users as you seem to consider it to be. |
Of course we visit the forums over HTTP:
- searches in Google return http:// links, not https://
- even if you choose to 'watch this topic' from an https session, email notifications still contain a link for http://, not https:// _________________ Unanswered Post Initiative | Search | FAQ
Former username: davjel |
|
Back to top |
|
|
timeBandit Bodhisattva
Joined: 31 Dec 2004 Posts: 2719 Location: here, there or in transit
|
Posted: Thu Jan 17, 2008 2:11 pm Post subject: |
|
|
gregarei wrote: | Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea. | Ask the authors of phpBB. Besides, it's not an appalling idea for low-risk accounts (and a forum ID certainly qualifies as such). It's simple, difficult to intercept in practice and the password is often short-lived anyway.
Also, it's worth remembering that f.g.o runs a pretty old (albeit customized, patched & maintained) release of phpBB. I'm not familiar with the package but this may well be the best it could provide, as of that version. An upgrade is a major effort that, as far as I know, has barely left the planning stages. _________________ Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Fri Jan 18, 2008 9:40 am Post subject: |
|
|
gregarei wrote: | Its not so much an issue, as I do use unsecure passes over http, but rather a recomendation / wondering of who thought emailing passwords in plaintext was a good idea. | Text via e-mail is a simple mechanism to distribute a temporary authentication token which is associated with the user via their e-mail account. To provide any significantly improved security would essentially require users to provide a public key when joining and to encrypt any password containing mail with that key, which itself introduces other problems.
JeliJami wrote: | Of course we visit the forums over HTTP:
- searches in Google return http:// links, not https://
- even if you choose to 'watch this topic' from an https session, email notifications still contain a link for http://, not https:// | If you browse the forums using HTTPS, note that it is more resource intensive and less caching than HTTP, install Greasemonkey, then install the following script.
Code: | // ==UserScript==
// @include http://forums.gentoo.org/*
// ==/UserScript==
window.location.href = window.location.href.replace(/^http:/, 'https:'); | If you use a browser which is not compatible with Greasemonkey, try locating similar functionality for that browser. |
|
Back to top |
|
|
swathe n00b
Joined: 04 Jul 2011 Posts: 73
|
Posted: Mon Jul 04, 2011 5:16 am Post subject: |
|
|
I was shocked to see it come in plain text too but I thought I would search before making a thread. Out of curiosity, have there ever been any security breaches with the forums themselves? |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Jul 04, 2011 5:24 am Post subject: |
|
|
The only way I can think it would matter on a forum like this is if you use the same password for something important as you do for a public forum. |
|
Back to top |
|
|
swathe n00b
Joined: 04 Jul 2011 Posts: 73
|
Posted: Mon Jul 04, 2011 6:45 am Post subject: |
|
|
1clue wrote: | The only way I can think it would matter on a forum like this is if you use the same password for something important as you do for a public forum. |
Definitely not something I do but I still think sending passwords in plain text is a bit poor. Nevertheless the choice os risking it is on us so it's either accept it or leave lol. |
|
Back to top |
|
|
tomk Bodhisattva
Joined: 23 Sep 2003 Posts: 7221 Location: Sat in front of my computer
|
Posted: Mon Jul 04, 2011 8:50 am Post subject: |
|
|
swathe wrote: | Out of curiosity, have there ever been any security breaches with the forums themselves? |
Not that I'm aware of because we try to keep on top of potential threats and take according action. For what it's worth the passwords are not stored in plain text. _________________ Search | Read | Answer | Report | Strip |
|
Back to top |
|
|
swathe n00b
Joined: 04 Jul 2011 Posts: 73
|
Posted: Mon Jul 04, 2011 10:07 am Post subject: |
|
|
tomk wrote: | swathe wrote: | Out of curiosity, have there ever been any security breaches with the forums themselves? |
Not that I'm aware of because we try to keep on top of potential threats and take according action. For what it's worth the passwords are not stored in plain text. |
Which answers my next question lol.
Thanks for the information tomk |
|
Back to top |
|
|
|