Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
forums.gentoo.org password security
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
blargism
n00b
n00b


Joined: 04 May 2016
Posts: 1

PostPosted: Wed May 04, 2016 2:24 pm    Post subject: Password Sent Via Email? Reply with quote

I'm a bit uncomfortable with my password being sent over email. It's not very secure. More email servers (thankfully) support SSL transfer, but still. Is there an easy way to update the forums to not do that?
Back to top
View user's profile Send private message
Chiitoo
Administrator
Administrator


Joined: 28 Feb 2010
Posts: 2740
Location: Here and Away Again

PostPosted: Wed May 04, 2016 7:52 pm    Post subject: ><)))°€ Reply with quote

Merged the above post from its stand-alone topic as it seems to fit here.

Teegrins and welcome, blargism!

I don't know enough about things and stuff to answer your question, and I'm also not sure if we'd want to completely stop sending the password, but I guess that could work around the issue that is sending them in plain-text...
_________________
Kindest of regardses.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed May 04, 2016 10:26 pm    Post subject: Reply with quote

I suppose the idea is to make sure that a valid e-mail address was provided. More complicated schemes are possible and I recall my web hosting company using them, including two levels of password. (I only need the first level to pay them :D )

As has been pointed out, it's only forum access. For reference Citibank (THE Citibank of financial meltdown fame [or infamy!]), ignores case in passwords and doesn't require special characters. I can log on, transfer money (I just did it before the April 18 IRA deadline) and whatever. No, I don't let the browser store my bank or brokerage passwords. I do store the usernames and I also store the passwords to all the blogs and forums.

Whatever is done, PLEASE don't instiute captcha as it is very difficult for us with limited eyesight. My wife wanted to create an account at a merchant. I gave up after failing six captcha's.
Was that squiggly character a 5 or an s? I don't know, I barely passed my last driver's license visual exam. I only made that because the examiner, a lady that looked to be of the same age as I, looked around then whispered "try the fifth letter again".
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Thu May 05, 2016 10:27 am    Post subject: Reply with quote

Why does it send the password anyway?

Current convention is to send a one-shot link via e-mail which the user then follows to reset their password, all protected by SSL so no plaintext exposure via e-mail needs to be done.

Alternatively, you could allow users to associate their PGP Public key with their account and have all e-mails encrypted to that key!
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Thu May 05, 2016 1:52 pm    Post subject: Reply with quote

Cyker wrote:
Why does it send the password anyway?

Current convention is to send a one-shot link via e-mail which the user then follows to reset their password, all protected by SSL so no plaintext exposure via e-mail needs to be done.

Alternatively, you could allow users to associate their PGP Public key with their account and have all e-mails encrypted to that key!


Both good ideas!
Back to top
View user's profile Send private message
desultory
Bodhisattva
Bodhisattva


Joined: 04 Nov 2005
Posts: 9410

PostPosted: Sat Jul 16, 2016 3:21 am    Post subject: Reply with quote

Split off "Troll had a point, but was too much of a troll.".
Back to top
View user's profile Send private message
charmanderRoot
n00b
n00b


Joined: 28 Dec 2017
Posts: 1

PostPosted: Thu Dec 28, 2017 10:28 am    Post subject: Passwords as Plain text????? Reply with quote

So I just signed up. What the hell is going on? I got a confirmation email and it had my pword right there...
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Thu Dec 28, 2017 12:08 pm    Post subject: Reply with quote

FFS, this is still a thing!? I complained about this years ago!!

All you can do is log in and change it in here to something else; At least *that* doesn't get sent over in plaintext! At least we hope...
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 31349
Location: here

PostPosted: Thu Dec 28, 2017 12:13 pm    Post subject: Reply with quote

Old story
https://bugs.gentoo.org/431106
https://forums.gentoo.org/viewtopic-t-954924-start-0.html
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Thu Dec 28, 2017 12:26 pm    Post subject: Reply with quote

You're not kidding it's old... I thought they'd at least stop sending the plaintext password in email by now, if not do any of the other stuff!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9846
Location: almost Mile High in the USA

PostPosted: Thu Dec 28, 2017 9:04 pm    Post subject: Reply with quote

At least a warning should be printed "use a disposable password, this password may be sent through email or other unencrypted medium"?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Thu Dec 28, 2017 9:13 pm    Post subject: Reply with quote

Well someone in the original thread suggested just removing the password variable from the e-mail template so it just doesn't send it at all; That would be enough!

I admittedly don't know anything about phpbb so maybe it is not that simple tho'...

It's a bit ironic this is still a thing when I keep getting **** from certain other forum users for using old 'insecure' versions of software!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9846
Location: almost Mile High in the USA

PostPosted: Thu Dec 28, 2017 11:41 pm    Post subject: Reply with quote

Yeah, looks like $PHPBBROOT/language/lang_{language}/email/*.tpl contains the templates, though one would have to actually edit it... for each of the possible mails and possible languages...

Scriptable, however :D

(I still have a phpbb 2.21 setup that's been disabled, hopefully nothing much changed from this version to what f.g.o is using.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Fri Dec 29, 2017 1:26 am    Post subject: Reply with quote

eccerr0r wrote:
At least a warning should be printed "use a disposable password, this password may be sent through email or other unencrypted medium"?

That's true of everything on the internet; you should never reuse passwords stored on Someone Else's Computers, and be ready to change any of them at a moment's notice.

Complaints are warranted here but the outraged reactions (there's been two near-identical topics in the past three days) suggest that some users are accustomed to bad opsec because slicker-looking websites made them feel safe in doing so. Sometimes it's worth scaring people.
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Fri Dec 29, 2017 1:37 pm    Post subject: Reply with quote

Well, I think the outraged reactions are just because people are, rightfully, not accustomed to having their secret password sent out in plaintext over unencrypted e-mail, and consider this A Bad Thing ;)

I must admit I have been surprised at how many people have been attempting to justify this as being okay and nothing to be concerned about, especially given how hard this distro is pushing security over usability lately.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20521

PostPosted: Thu Jan 04, 2018 4:13 pm    Post subject: Reply with quote

charmanderRoot wrote:
So I just signed up. What the hell is going on? I got a confirmation email and it had my pword right there...

fedeliallalinea wrote:
Old story
https://bugs.gentoo.org/431106
https://forums.gentoo.org/viewtopic-t-954924-start-0.html
Merged, thanks.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22853

PostPosted: Fri Jan 05, 2018 4:01 am    Post subject: Reply with quote

Cyker wrote:
I must admit I have been surprised at how many people have been attempting to justify this as being okay and nothing to be concerned about, especially given how hard this distro is pushing security over usability lately.
The distribution is a large and complex entity. Some security-oriented developers don't interact with the forum much, if at all. Some forum users don't work on security projects much, if at all.

Elevated permission on the forums (moderators, administrators) does not automatically confer the access necessary to change this (nor, necessarily, the background and time availability to attempt such a change). That permission comes with a trust that would likely make it easier to negotiate access to the relevant systems, but the access isn't automatically added when the moderator role is added.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Sat Jan 13, 2018 5:55 pm    Post subject: Reply with quote

An idea could be to remove the field email from the registration form, and then once the user is connected, trough his profile, he can add (if he want to) an email. It "solve" the problem of people crying for their password send in clear text, increase the "privacy" and won't bring more spam (tor + trash mail are allowed anyway...)

The sources of this forum is available somewhere ?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Sat Jan 13, 2018 7:14 pm    Post subject: Reply with quote

gengreen wrote:
The sources of this forum is available somewhere ?

They were in a CVS repo last I heard. I can't find any links to it via here nor the wiki; that too needs to be fixed.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54638
Location: 56N 3W

PostPosted: Sat Jan 13, 2018 7:42 pm    Post subject: Reply with quote

gengreen,

I've not checked that this is current.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Sat Jan 13, 2018 10:44 pm    Post subject: Reply with quote

Didn't think they was any specific spam check for the registration as my did pass trough tor + temporary email account... But yeah tried to spam reg it did not work.

Regarding the password send in clear, it's look like the old original phpBB code, not something specific to Gentoo forum

https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-projects/forums/htdocs/includes/usercp_register.php?view=markup

Line : 1305
Code:
'PASSWORD' => $password_confirm,


Could be replaced by something like

Code:
'PASSWORD' => 'You only known it',


And this will close the topic once for good.

I don't mention the line 1011, I think nobody (and especially a spammer :P) will go trough this.


Last edited by gengreen on Sun Jan 14, 2018 1:01 am; edited 1 time in total
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Jan 13, 2018 11:13 pm    Post subject: Reply with quote

If the forum doesn't know your e-mail how can you get notified that there are responses to your posts?

I don't get the histrionics over having your password sent in your confirmation e-mail. It's not like it's your bank password. It's a common practice to e-mail forgotten passwords or at least temporary passwords.

Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.

Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link!

Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach.

I can't get excited that someone may be sniffing my e-mail looking for the gentoo forum password.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Sun Jan 14, 2018 12:55 am    Post subject: Reply with quote

Tony0945 wrote:
If the forum doesn't know your e-mail how can you get notified that there are responses to your posts?

I don't get the histrionics over having your password sent in your confirmation e-mail. It's not like it's your bank password. It's a common practice to e-mail forgotten passwords or at least temporary passwords.

Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.

Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link!

Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach.

I can't get excited that someone may be sniffing my e-mail looking for the gentoo forum password.


Quote:
Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.

Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link!


Do you known anything about banking security ?

Quote:
Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach.


Yes and the difference between all your example and Gentoo can be explained with a simple word : Money

- Did you see the single advertising anywhere in Gentoo ?

- What personal data Gentoo store about you ?

- Gentoo is entirely tor friendly and doesn't require Javascript

- What would someone do with your password ? Post in the forum on your name ?

- The personal data you share here is hope to you and you are responsible for those

Remember Gentoo unlike a lot of distribution aren't commercial in anyway. All what you get here is free and made to protect you and your privacy as much as possible.

Quote:
If the forum doesn't know your e-mail how can you get notified that there are responses to your posts?


I don't weekly use email box, so your question isn't pertinent to me.

I don't want to be rush, but use more your brain on what Gentoo is before to make this kind of statement.

Anyway your post despite to be useless, I replied just before you giving the simple line to change to make this subject close for good. It's an original phpBB function that was made more than 11 years ago, the team have something far more important to do than some php code. AND THEY ARE NOT PAID FOR IT
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sun Jan 14, 2018 1:34 am    Post subject: Reply with quote

gengreen wrote:


Do you known anything about banking security ?

I know that when my password wouldn't work and I called Citibank tech support the person who answered (sounding very Midwest American) told me try several things. When none worked he got very excited and his Indian accent came out. He told me try what he called "the master password". It worked and I reset my password. Would it be worse to e-mail me a new password or to give me a password that opens any account? Luckily I am an honest man and did not make note of the "master password".

Quote:

Yes and the difference between all your example and Gentoo can be explained with a simple word : Money

- Did you see the single advertising anywhere in Gentoo ?

- What personal data Gentoo store about you ?

- Gentoo is entirely tor friendly and doesn't require Javascript

- What would someone do with your password ? Post in the forum on your name ?

- The personal data you share here is hope to you and you are responsible for those

Exactly my point!
Quote:


I don't want to be rush, but use more your brain on what Gentoo is before to make this kind of statement.

Maybe you should use your brain for reading before to make this kind of statement.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3477

PostPosted: Sun Jan 14, 2018 2:50 am    Post subject: Reply with quote

Quote:
Luckily I am an honest man and did not make note of the "master password".
It's not a sign of honesty, it's a sign of ignorance.
Should have reported that as a security incident. By simply ignoring it you became a contributor.
If he gave that master password to you, he may have just as well given it to someone less "honest".

I'm not too concerned about passwords here, because unauthorized access would have little impact. Unauthorized access to my bank account would bother me much more.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum