Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
forums.gentoo.org password security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
NP-Hardass
Developer
Developer


Joined: 24 Mar 2013
Posts: 15

PostPosted: Sun Mar 24, 2013 1:35 am    Post subject: forums.gentoo.org password security Reply with quote

I just signed up for an account, and noticed that upon registration, my password was emailed in plaintext to me.
That's definitely a major no-no on it's own. But since your system was able to plaintext sent it to me in the first place, I'm going to assume that they are also stored in plaintext... That's pretty bad security wise. Can someone look into this and comment?
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Sun Mar 24, 2013 1:49 am    Post subject: Reply with quote

Cannot confirm if they are stored in plain text, but i did not pay attention to that when i signed up.

Otherwise i think/hope the rest of gentoo services/features are safer.

Forum password safety is not that much dramatic compared to other stuff that could be compromised like mirrors, but it still needs to be adressed like you pointed out.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2970
Location: UK

PostPosted: Sun Mar 24, 2013 1:53 am    Post subject: Reply with quote

It's phpBB 2.0.23. The password is stored as an MD5 hash and only sent back as plaintext because you just submitted it in plaintext.

In short you have nothing to worry about, as long as the URL bar starts with "https:".
Back to top
View user's profile Send private message
NP-Hardass
Developer
Developer


Joined: 24 Mar 2013
Posts: 15

PostPosted: Sun Mar 24, 2013 2:30 am    Post subject: Reply with quote

Thanks for the response :)

From what I've read online, the phpBB 2 systems use an unsalted hash. And we don't force the login to https, nor do we by default link to https from the gentoo.org website. So I think that alone is insufficient to a claim at mitigation.
Back to top
View user's profile Send private message
krinn
Advocate
Advocate


Joined: 02 May 2003
Posts: 4859

PostPosted: Sat Mar 30, 2013 2:08 pm    Post subject: Reply with quote

Ant P. wrote:

In short you have nothing to worry about, as long as the URL bar starts with "https:".


as long as you don't read that mail from a public wifi :)
just like it's funny to see so many people using mail checker on their laptop and running everywhere with it enable.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 3

PostPosted: Fri Aug 21, 2015 1:52 am    Post subject: Reply with quote

*grumbles about this still being a thing in 2015*
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1774

PostPosted: Fri Aug 21, 2015 2:15 am    Post subject: Reply with quote

zamabe wrote:
*grumbles about this still being a thing in 2015*
It isn't like that password is protecting anything important so I'm fine with weaker security here.

If you are suffering from password reuse, you are doing something very wrong.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 3

PostPosted: Fri Aug 21, 2015 2:18 am    Post subject: Reply with quote

The Doctor wrote:
...I'm fine with weaker security here.

If you are suffering from password reuse, you are doing something very wrong.

Yay, I'm not.

Shifting the blame of *bad* security to the person who isn't responsible for the security the system employs is ..... illogical and wrong as a point of order.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum