View previous topic :: View next topic |
Author |
Message |
blargism n00b
Joined: 04 May 2016 Posts: 1
|
Posted: Wed May 04, 2016 2:24 pm Post subject: Password Sent Via Email? |
|
|
I'm a bit uncomfortable with my password being sent over email. It's not very secure. More email servers (thankfully) support SSL transfer, but still. Is there an easy way to update the forums to not do that? |
|
Back to top |
|
|
Chiitoo Administrator
Joined: 28 Feb 2010 Posts: 2740 Location: Here and Away Again
|
Posted: Wed May 04, 2016 7:52 pm Post subject: ><)))°€ |
|
|
Merged the above post from its stand-alone topic as it seems to fit here.
Teegrins and welcome, blargism!
I don't know enough about things and stuff to answer your question, and I'm also not sure if we'd want to completely stop sending the password, but I guess that could work around the issue that is sending them in plain-text... _________________ Kindest of regardses. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Wed May 04, 2016 10:26 pm Post subject: |
|
|
I suppose the idea is to make sure that a valid e-mail address was provided. More complicated schemes are possible and I recall my web hosting company using them, including two levels of password. (I only need the first level to pay them )
As has been pointed out, it's only forum access. For reference Citibank (THE Citibank of financial meltdown fame [or infamy!]), ignores case in passwords and doesn't require special characters. I can log on, transfer money (I just did it before the April 18 IRA deadline) and whatever. No, I don't let the browser store my bank or brokerage passwords. I do store the usernames and I also store the passwords to all the blogs and forums.
Whatever is done, PLEASE don't instiute captcha as it is very difficult for us with limited eyesight. My wife wanted to create an account at a merchant. I gave up after failing six captcha's.
Was that squiggly character a 5 or an s? I don't know, I barely passed my last driver's license visual exam. I only made that because the examiner, a lady that looked to be of the same age as I, looked around then whispered "try the fifth letter again". |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Thu May 05, 2016 10:27 am Post subject: |
|
|
Why does it send the password anyway?
Current convention is to send a one-shot link via e-mail which the user then follows to reset their password, all protected by SSL so no plaintext exposure via e-mail needs to be done.
Alternatively, you could allow users to associate their PGP Public key with their account and have all e-mails encrypted to that key! |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Thu May 05, 2016 1:52 pm Post subject: |
|
|
Cyker wrote: | Why does it send the password anyway?
Current convention is to send a one-shot link via e-mail which the user then follows to reset their password, all protected by SSL so no plaintext exposure via e-mail needs to be done.
Alternatively, you could allow users to associate their PGP Public key with their account and have all e-mails encrypted to that key! |
Both good ideas! |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
|
Back to top |
|
|
charmanderRoot n00b
Joined: 28 Dec 2017 Posts: 1
|
Posted: Thu Dec 28, 2017 10:28 am Post subject: Passwords as Plain text????? |
|
|
So I just signed up. What the hell is going on? I got a confirmation email and it had my pword right there... |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Thu Dec 28, 2017 12:08 pm Post subject: |
|
|
FFS, this is still a thing!? I complained about this years ago!!
All you can do is log in and change it in here to something else; At least *that* doesn't get sent over in plaintext! At least we hope... |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 31349 Location: here
|
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Thu Dec 28, 2017 12:26 pm Post subject: |
|
|
You're not kidding it's old... I thought they'd at least stop sending the plaintext password in email by now, if not do any of the other stuff! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Thu Dec 28, 2017 9:04 pm Post subject: |
|
|
At least a warning should be printed "use a disposable password, this password may be sent through email or other unencrypted medium"? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Thu Dec 28, 2017 9:13 pm Post subject: |
|
|
Well someone in the original thread suggested just removing the password variable from the e-mail template so it just doesn't send it at all; That would be enough!
I admittedly don't know anything about phpbb so maybe it is not that simple tho'...
It's a bit ironic this is still a thing when I keep getting **** from certain other forum users for using old 'insecure' versions of software! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Thu Dec 28, 2017 11:41 pm Post subject: |
|
|
Yeah, looks like $PHPBBROOT/language/lang_{language}/email/*.tpl contains the templates, though one would have to actually edit it... for each of the possible mails and possible languages...
Scriptable, however :D
(I still have a phpbb 2.21 setup that's been disabled, hopefully nothing much changed from this version to what f.g.o is using.) _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Dec 29, 2017 1:26 am Post subject: |
|
|
eccerr0r wrote: | At least a warning should be printed "use a disposable password, this password may be sent through email or other unencrypted medium"? |
That's true of everything on the internet; you should never reuse passwords stored on Someone Else's Computers, and be ready to change any of them at a moment's notice.
Complaints are warranted here but the outraged reactions (there's been two near-identical topics in the past three days) suggest that some users are accustomed to bad opsec because slicker-looking websites made them feel safe in doing so. Sometimes it's worth scaring people. |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Fri Dec 29, 2017 1:37 pm Post subject: |
|
|
Well, I think the outraged reactions are just because people are, rightfully, not accustomed to having their secret password sent out in plaintext over unencrypted e-mail, and consider this A Bad Thing
I must admit I have been surprised at how many people have been attempting to justify this as being okay and nothing to be concerned about, especially given how hard this distro is pushing security over usability lately. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20521
|
Posted: Thu Jan 04, 2018 4:13 pm Post subject: |
|
|
charmanderRoot wrote: | So I just signed up. What the hell is going on? I got a confirmation email and it had my pword right there... |
Merged, thanks. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22853
|
Posted: Fri Jan 05, 2018 4:01 am Post subject: |
|
|
Cyker wrote: | I must admit I have been surprised at how many people have been attempting to justify this as being okay and nothing to be concerned about, especially given how hard this distro is pushing security over usability lately. | The distribution is a large and complex entity. Some security-oriented developers don't interact with the forum much, if at all. Some forum users don't work on security projects much, if at all.
Elevated permission on the forums (moderators, administrators) does not automatically confer the access necessary to change this (nor, necessarily, the background and time availability to attempt such a change). That permission comes with a trust that would likely make it easier to negotiate access to the relevant systems, but the access isn't automatically added when the moderator role is added. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Sat Jan 13, 2018 5:55 pm Post subject: |
|
|
An idea could be to remove the field email from the registration form, and then once the user is connected, trough his profile, he can add (if he want to) an email. It "solve" the problem of people crying for their password send in clear text, increase the "privacy" and won't bring more spam (tor + trash mail are allowed anyway...)
The sources of this forum is available somewhere ? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Jan 13, 2018 7:14 pm Post subject: |
|
|
gengreen wrote: | The sources of this forum is available somewhere ? |
They were in a CVS repo last I heard. I can't find any links to it via here nor the wiki; that too needs to be fixed. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54638 Location: 56N 3W
|
Posted: Sat Jan 13, 2018 7:42 pm Post subject: |
|
|
gengreen,
I've not checked that this is current. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Sat Jan 13, 2018 10:44 pm Post subject: |
|
|
Didn't think they was any specific spam check for the registration as my did pass trough tor + temporary email account... But yeah tried to spam reg it did not work.
Regarding the password send in clear, it's look like the old original phpBB code, not something specific to Gentoo forum
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-projects/forums/htdocs/includes/usercp_register.php?view=markup
Line : 1305 Code: | 'PASSWORD' => $password_confirm, |
Could be replaced by something like
Code: | 'PASSWORD' => 'You only known it', |
And this will close the topic once for good.
I don't mention the line 1011, I think nobody (and especially a spammer ) will go trough this.
Last edited by gengreen on Sun Jan 14, 2018 1:01 am; edited 1 time in total |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Jan 13, 2018 11:13 pm Post subject: |
|
|
If the forum doesn't know your e-mail how can you get notified that there are responses to your posts?
I don't get the histrionics over having your password sent in your confirmation e-mail. It's not like it's your bank password. It's a common practice to e-mail forgotten passwords or at least temporary passwords.
Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.
Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link!
Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach.
I can't get excited that someone may be sniffing my e-mail looking for the gentoo forum password. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Sun Jan 14, 2018 12:55 am Post subject: |
|
|
Tony0945 wrote: | If the forum doesn't know your e-mail how can you get notified that there are responses to your posts?
I don't get the histrionics over having your password sent in your confirmation e-mail. It's not like it's your bank password. It's a common practice to e-mail forgotten passwords or at least temporary passwords.
Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.
Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link!
Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach.
I can't get excited that someone may be sniffing my e-mail looking for the gentoo forum password. |
Quote: | Citibank allows you to use mixed case in passwords then ignores case entirely! I couldn't beleive that so I logged in with all lower case. Yep, it works.
Chase on their web site tells me to never click on a link then sends me e-mail telling me to click on a link! |
Do you known anything about banking security ?
Quote: | Equifax loses the complete data on 143 million people including mother's maiden name, birthday, address, phone number, social security number and more. Then tells you to sign up for their for-profit freeze/unfreeze service. The IRS gives them a sole source contract to store your tax returns AFTER the breach. |
Yes and the difference between all your example and Gentoo can be explained with a simple word : Money
- Did you see the single advertising anywhere in Gentoo ?
- What personal data Gentoo store about you ?
- Gentoo is entirely tor friendly and doesn't require Javascript
- What would someone do with your password ? Post in the forum on your name ?
- The personal data you share here is hope to you and you are responsible for those
Remember Gentoo unlike a lot of distribution aren't commercial in anyway. All what you get here is free and made to protect you and your privacy as much as possible.
Quote: | If the forum doesn't know your e-mail how can you get notified that there are responses to your posts? |
I don't weekly use email box, so your question isn't pertinent to me.
I don't want to be rush, but use more your brain on what Gentoo is before to make this kind of statement.
Anyway your post despite to be useless, I replied just before you giving the simple line to change to make this subject close for good. It's an original phpBB function that was made more than 11 years ago, the team have something far more important to do than some php code. AND THEY ARE NOT PAID FOR IT |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Jan 14, 2018 1:34 am Post subject: |
|
|
gengreen wrote: |
Do you known anything about banking security ? |
I know that when my password wouldn't work and I called Citibank tech support the person who answered (sounding very Midwest American) told me try several things. When none worked he got very excited and his Indian accent came out. He told me try what he called "the master password". It worked and I reset my password. Would it be worse to e-mail me a new password or to give me a password that opens any account? Luckily I am an honest man and did not make note of the "master password".
Quote: |
Yes and the difference between all your example and Gentoo can be explained with a simple word : Money
- Did you see the single advertising anywhere in Gentoo ?
- What personal data Gentoo store about you ?
- Gentoo is entirely tor friendly and doesn't require Javascript
- What would someone do with your password ? Post in the forum on your name ?
- The personal data you share here is hope to you and you are responsible for those
|
Exactly my point!
Quote: |
I don't want to be rush, but use more your brain on what Gentoo is before to make this kind of statement. |
Maybe you should use your brain for reading before to make this kind of statement. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sun Jan 14, 2018 2:50 am Post subject: |
|
|
Quote: | Luckily I am an honest man and did not make note of the "master password". | It's not a sign of honesty, it's a sign of ignorance.
Should have reported that as a security incident. By simply ignoring it you became a contributor.
If he gave that master password to you, he may have just as well given it to someone less "honest".
I'm not too concerned about passwords here, because unauthorized access would have little impact. Unauthorized access to my bank account would bother me much more. |
|
Back to top |
|
|
|