Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
forums.gentoo.org password security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
NP-Hardass
n00b
n00b


Joined: 24 Mar 2013
Posts: 3

PostPosted: Sun Mar 24, 2013 1:35 am    Post subject: forums.gentoo.org password security Reply with quote

I just signed up for an account, and noticed that upon registration, my password was emailed in plaintext to me.
That's definitely a major no-no on it's own. But since your system was able to plaintext sent it to me in the first place, I'm going to assume that they are also stored in plaintext... That's pretty bad security wise. Can someone look into this and comment?
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Sun Mar 24, 2013 1:49 am    Post subject: Reply with quote

Cannot confirm if they are stored in plain text, but i did not pay attention to that when i signed up.

Otherwise i think/hope the rest of gentoo services/features are safer.

Forum password safety is not that much dramatic compared to other stuff that could be compromised like mirrors, but it still needs to be adressed like you pointed out.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2584
Location: UK

PostPosted: Sun Mar 24, 2013 1:53 am    Post subject: Reply with quote

It's phpBB 2.0.23. The password is stored as an MD5 hash and only sent back as plaintext because you just submitted it in plaintext.

In short you have nothing to worry about, as long as the URL bar starts with "https:".
Back to top
View user's profile Send private message
NP-Hardass
n00b
n00b


Joined: 24 Mar 2013
Posts: 3

PostPosted: Sun Mar 24, 2013 2:30 am    Post subject: Reply with quote

Thanks for the response :)

From what I've read online, the phpBB 2 systems use an unsalted hash. And we don't force the login to https, nor do we by default link to https from the gentoo.org website. So I think that alone is insufficient to a claim at mitigation.
Back to top
View user's profile Send private message
krinn
Advocate
Advocate


Joined: 02 May 2003
Posts: 4433

PostPosted: Sat Mar 30, 2013 2:08 pm    Post subject: Reply with quote

Ant P. wrote:

In short you have nothing to worry about, as long as the URL bar starts with "https:".


as long as you don't read that mail from a public wifi :)
just like it's funny to see so many people using mail checker on their laptop and running everywhere with it enable.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum