View previous topic :: View next topic |
Author |
Message |
shunk n00b
Joined: 24 Dec 2019 Posts: 1 Location: Cobh, Ireland
|
Posted: Tue Dec 24, 2019 8:02 pm Post subject: Are passwords stored in plain text?? |
|
|
When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Dec 24, 2019 8:47 pm Post subject: |
|
|
Passwords are hashed and you got it in plaintext because you just sent it in plaintext.
Not bad if you're managing your passwords properly, just change it again. It won't send another email. |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Tue Dec 24, 2019 9:34 pm Post subject: Re: Are passwords stored in plain text?? |
|
|
shunk wrote: | When I signed up I recieved an email with my full on password, this means that passwords are stored in plaintext, right? Isn't that super bad? |
Right. Yes it is. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54607 Location: 56N 3W
|
Posted: Tue Dec 24, 2019 9:52 pm Post subject: |
|
|
Ant P. linked the forum code snippet above.
Passwords are hashed for storage. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Wed Dec 25, 2019 12:00 pm Post subject: |
|
|
I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse. |
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Wed Dec 25, 2019 3:11 pm Post subject: |
|
|
gengreen wrote: |
I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse. |
The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Wed Dec 25, 2019 7:36 pm Post subject: |
|
|
To address the actual problem here: yes, phpBB's security when it was written 18 years ago was somewhat average for the period. It could be better.
The mail server uses TLSv1.2, so as long as the recipient isn't doing awful things like using a freemail account hosted by a data-harvesting panopticon, it's still safe. Security is a spectrum.
The email templates are here, ready and waiting whenever someone wants to volunteer to fix it. No programming knowledge beyond git-format-patch is needed, but it looks like nobody's found it urgent enough to actually fix. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Tue Jan 07, 2020 4:35 am Post subject: |
|
|
etnull wrote: | gengreen wrote: |
I disagree, being worry about a password stored in clear is a security mistake at the first place. Never password reuse. |
The question was not about worrying or best practices. The question was - is it bad or not, and yes it is bad no matter how skillful you are in shifting blame to your users. 50% of users do reuse their passwords, maybe not on this forum but still. |
If it was only the users the problem ok... but even IT professional are reusing (and other sector), we should insist on this as much as possible.
This problem is older than year 2000 and will remain for long, probably forever, despite an available solution of never reuse password.
Being said, pushing people to understand that hash/crypt password of the forum wouldn't be a concern if at the first place, password was uniq, saying it can't harm but saying the dev of Gentoo are doing bad practice do harm. _________________ Less is best |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54607 Location: 56N 3W
|
Posted: Tue Jan 07, 2020 8:45 am Post subject: |
|
|
gengreen,
Reusing passwords is a social problem not a technical one.
The only technical solution is to design out passwords.
Welcome 1984 _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|