Author Topic: Forum Password Security  (Read 1278 times)

0 Members and 1 Guest are viewing this topic.

Offline asuma28

  • Oni
  • Posts: 2
Forum Password Security
« on: October 22, 2012, 08:50:16 pm »
I just created a new account here and I noticed that my unencrypted password was emailed to me.  :o I am glad that it took my default generated LastPass password, but seeing it in an email was a bit surprising. Is this normal or can it be changed?

Offline JeffT

  • Secretary, Website Manager
  • Administrator
  • *******
  • Posts: 1822
    • Facebook
    • Google+
    • Skype
    • Twitter
Re: Forum Password Security
« Reply #1 on: October 22, 2012, 11:44:32 pm »
The only way to avoid this would be to have no way to reset a password (which relies on having access to your email account to authenticate you). The assumption is that your email account is secure. This is the model used by the vast majority of Internet services.
2011 - 2013, 2016-2017: Secretary
2007 - 2017: Website Manager
2015: Assistant Secretary
2014: Chair
2007 - 2009: Director of Publicity
2006: Copy Editor, A/V Manager

Offline JeffT

  • Secretary, Website Manager
  • Administrator
  • *******
  • Posts: 1822
    • Facebook
    • Google+
    • Skype
    • Twitter
Re: Forum Password Security
« Reply #2 on: February 27, 2013, 04:20:49 am »
This no longer happens; the new version of SMF no longer emails the password.

Even with the old version, the password was never saved in plaintext - the password was generated and emailed immediately upon registering and the password wasn't saved. Both the old, and new versions, hashed the passwords in the database.
« Last Edit: February 27, 2013, 04:21:07 am by JeffT »
2011 - 2013, 2016-2017: Secretary
2007 - 2017: Website Manager
2015: Assistant Secretary
2014: Chair
2007 - 2009: Director of Publicity
2006: Copy Editor, A/V Manager