Are passwords stored in plain text??
Message
Are passwords stored in plain text??
When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad?
Passwords are hashed and you got it in plaintext because you just sent it in plaintext.
Not bad if you're managing your passwords properly, just change it again. It won't send another email.
Not bad if you're managing your passwords properly, just change it again. It won't send another email.
Re: Are passwords stored in plain text??
Right. Yes it is.shunk wrote:When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad?
- NeddySeagoon
- Administrator
- Posts: 56094
- Joined: Sat Jul 05, 2003 9:37 am
- Location: 56N 3W
The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still.gengreen wrote:I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse.Right. Yes it is
To address the actual problem here: yes, phpBB's security when it was written 18 years ago was somewhat average for the period. It could be better.
The mail server uses TLSv1.2, so as long as the recipient isn't doing awful things like using a freemail account hosted by a data-harvesting panopticon, it's still safe. Security is a spectrum.
The email templates are here, ready and waiting whenever someone wants to volunteer to fix it. No programming knowledge beyond git-format-patch is needed, but it looks like nobody's found it urgent enough to actually fix.
The mail server uses TLSv1.2, so as long as the recipient isn't doing awful things like using a freemail account hosted by a data-harvesting panopticon, it's still safe. Security is a spectrum.
The email templates are here, ready and waiting whenever someone wants to volunteer to fix it. No programming knowledge beyond git-format-patch is needed, but it looks like nobody's found it urgent enough to actually fix.
If it was only the users the problem ok... but even IT professional are reusing (and other sector), we should insist on this as much as possible.etnull wrote:The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still.gengreen wrote:I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse.Right. Yes it is
This problem is older than year 2000 and will remain for long, probably forever, despite an available solution of never reuse password.
Being said, pushing people to understand that hash/crypt password of the forum wouldn't be a concern if at the first place, password was uniq, saying it can't harm but saying the dev of Gentoo are doing bad practice do harm.
Less is best
- NeddySeagoon
- Administrator
- Posts: 56094
- Joined: Sat Jul 05, 2003 9:37 am
- Location: 56N 3W