Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Are passwords stored in plain text??
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
shunk
n00b
n00b


Joined: 24 Dec 2019
Posts: 1
Location: Cobh, Ireland

PostPosted: Tue Dec 24, 2019 8:02 pm    Post subject: Are passwords stored in plain text?? Reply with quote

When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Dec 24, 2019 8:47 pm    Post subject: Reply with quote

Passwords are hashed and you got it in plaintext because you just sent it in plaintext.

Not bad if you're managing your passwords properly, just change it again. It won't send another email.
Back to top
View user's profile Send private message
389292
Guru
Guru


Joined: 26 Mar 2019
Posts: 504

PostPosted: Tue Dec 24, 2019 9:34 pm    Post subject: Re: Are passwords stored in plain text?? Reply with quote

shunk wrote:
When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad?

Right. Yes it is.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54603
Location: 56N 3W

PostPosted: Tue Dec 24, 2019 9:52 pm    Post subject: Reply with quote

Ant P. linked the forum code snippet above.
Passwords are hashed for storage.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Wed Dec 25, 2019 12:00 pm    Post subject: Reply with quote

Quote:
Right. Yes it is


I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse.
Back to top
View user's profile Send private message
389292
Guru
Guru


Joined: 26 Mar 2019
Posts: 504

PostPosted: Wed Dec 25, 2019 3:11 pm    Post subject: Reply with quote

gengreen wrote:
Quote:
Right. Yes it is


I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse.

The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Wed Dec 25, 2019 7:36 pm    Post subject: Reply with quote

To address the actual problem here: yes, phpBB's security when it was written 18 years ago was somewhat average for the period. It could be better.
The mail server uses TLSv1.2, so as long as the recipient isn't doing awful things like using a freemail account hosted by a data-harvesting panopticon, it's still safe. Security is a spectrum.

The email templates are here, ready and waiting whenever someone wants to volunteer to fix it. No programming knowledge beyond git-format-patch is needed, but it looks like nobody's found it urgent enough to actually fix.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Tue Jan 07, 2020 4:35 am    Post subject: Reply with quote

etnull wrote:
gengreen wrote:
Quote:
Right. Yes it is


I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse.

The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still.


If it was only the users the problem ok... but even IT professional are reusing (and other sector), we should insist on this as much as possible.

This problem is older than year 2000 and will remain for long, probably forever, despite an available solution of never reuse password.

Being said, pushing people to understand that hash/crypt password of the forum wouldn't be a concern if at the first place, password was uniq, saying it can't harm but saying the dev of Gentoo are doing bad practice do harm.
_________________
Less is best
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54603
Location: 56N 3W

PostPosted: Tue Jan 07, 2020 8:45 am    Post subject: Reply with quote

gengreen,

Reusing passwords is a social problem not a technical one.
The only technical solution is to design out passwords.

Welcome 1984
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum