Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Gentoo Forums: On register, password is emailed in plaintext
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
throwaway12394
n00b
n00b


Joined: 02 Aug 2020
Posts: 3
PostPosted: Sun Aug 02, 2020 4:31 am    Post subject: Gentoo Forums: On register, password is emailed in plaintext Reply with quote
I just registered this account for unrelated emails. It appears my password has been sent to me in plaintext. This is far from best practice. While fixing I'd also recommend double-checking that passwords are hashed+salted within the database appropriately.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54391
Location: 56N 3W
PostPosted: Sun Aug 02, 2020 8:51 am    Post subject: Reply with quote
Moved from Networking & Security to Gentoo Forums Feedback.

Yes, passwords are hashed. I'm not sure about salted.

The forums uses phpBB 2.0.23-gentoo-p11, which is well past its use by date.
There is an upgrade to phpBB 3.x in the works, so any fixes to 2.0.23 are unlikely.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
fturco
Veteran
Veteran


Joined: 08 Dec 2010
Posts: 1181
Location: Italy
PostPosted: Sun Aug 02, 2020 11:02 am    Post subject: Reply with quote
https://bugs.gentoo.org/431106
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920
PostPosted: Mon Aug 03, 2020 4:40 am    Post subject: Reply with quote
Passwords are stored MD5 hashed and thrown away after the email is sent.

You're right it's far from best practice, but that's why everyone uses a password manager with strong random per-site passwords nowadays, right? :)
Back to top
View user's profile Send private message
Banana
Veteran
Veteran


Joined: 21 May 2004
Posts: 1416
Location: Germany
PostPosted: Mon Aug 03, 2020 5:46 am    Post subject: Reply with quote
anything new about the forum upgrade?
_________________
My personal space
My delta-labs.org snippets do expire

PFL - Portage file list - find which package a file or command belongs to.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7470
PostPosted: Mon Aug 03, 2020 11:46 am    Post subject: Reply with quote
Banana wrote:
anything new about the forum upgrade?

a question for https://forums.gentoo.org/viewtopic.php?p=8427828
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy