Author Topic: Forum Password Security  (Read 6039 times)

0 Members and 1 Guest are viewing this topic.

Offline asuma28

  • Oni
  • Posts: 2
Forum Password Security
« on: October 22, 2012, 08:50:16 pm »
I just created a new account here and I noticed that my unencrypted password was emailed to me.  :o I am glad that it took my default generated LastPass password, but seeing it in an email was a bit surprising. Is this normal or can it be changed?

Offline JeffT

  • Administrator
  • *******
  • Posts: 1843
    • Facebook
    • Google+
    • Skype
    • Twitter
Re: Forum Password Security
« Reply #1 on: October 22, 2012, 11:44:32 pm »
The only way to avoid this would be to have no way to reset a password (which relies on having access to your email account to authenticate you). The assumption is that your email account is secure. This is the model used by the vast majority of Internet services.
2023: Website Development Coordinator
2020-2022: Assistant Secretary, Website Development Coordinator
2011 - 2013, 2016-2019: Secretary
2007 - 2019: Website Manager
2015: Assistant Secretary
2014: Chair
2007 - 2009: Director of Publicity
2006: Copy Editor

Offline JeffT

  • Administrator
  • *******
  • Posts: 1843
    • Facebook
    • Google+
    • Skype
    • Twitter
Re: Forum Password Security
« Reply #2 on: February 27, 2013, 04:20:49 am »
This no longer happens; the new version of SMF no longer emails the password.

Even with the old version, the password was never saved in plaintext - the password was generated and emailed immediately upon registering and the password wasn't saved. Both the old, and new versions, hashed the passwords in the database.
« Last Edit: February 27, 2013, 04:21:07 am by JeffT »
2023: Website Development Coordinator
2020-2022: Assistant Secretary, Website Development Coordinator
2011 - 2013, 2016-2019: Secretary
2007 - 2019: Website Manager
2015: Assistant Secretary
2014: Chair
2007 - 2009: Director of Publicity
2006: Copy Editor