Kumoricon

News => Forum Announcements => Topic started by: asuma28 on October 22, 2012, 08:50:16 pm

Title: Forum Password Security
Post by: asuma28 on October 22, 2012, 08:50:16 pm
I just created a new account here and I noticed that my unencrypted password was emailed to me.  :o I am glad that it took my default generated LastPass password, but seeing it in an email was a bit surprising. Is this normal or can it be changed?
Title: Re: Forum Password Security
Post by: JeffT on October 22, 2012, 11:44:32 pm
The only way to avoid this would be to have no way to reset a password (which relies on having access to your email account to authenticate you). The assumption is that your email account is secure. This is the model used by the vast majority of Internet services.
Title: Re: Forum Password Security
Post by: JeffT on February 27, 2013, 04:20:49 am
This no longer happens; the new version of SMF no longer emails the password.

Even with the old version, the password was never saved in plaintext - the password was generated and emailed immediately upon registering and the password wasn't saved. Both the old, and new versions, hashed the passwords in the database.