When I signed up today, I was a bit unnerved to see my password emailed to me in cleartext.
This is generally considered bad, as smtp is not encrypted, and anyone that email passed by could catch that password.
Also, it's a bit disturbing that this forum software saves passwords in a retrievable manner, instead of as a hash of some sort.
What happens if someone catches a password as it traverses the internet? What happens if someone breaks into your server? I would be surprised if the amount of people who use the same password for multiple (or all) sites wasn't the majority.
I would strongly suggest looking into a way to correct this. If it hasn't yet been abused, I'm sure it's only a matter of time. |
i don't know of any forum that doesn't do this. it's not fort knox, it's a forum for a game using (i'm assuming) free forum software.
an FYI, nothing in e-mail is encrypted normally. That's right, I can read all your e-mail, forum browsing, porn looking, etc. if I was on the same LAN/WiFi as you.
Simple rule: don't use the same password for a forum as you do for your bank/cc/paypal/etc. It's just plain stupid. Doesn't matter what encryption someone has, it's been broken. |
This isn't for me, it's for others who don't know this.
No, you don't need to be on the same subnet as me though, if you catch the SMTP transmission on it's way from 2boy to your email provider.
And free software isn't to blame, most major* forums store the password as a hash (usually md5) in the SQL database backend. You hash the user's input and check that hash to the stored one, if it matches, the password matched. (except for extremely rare cases, look up md5 collision). This comparison can't go the other way, you can't reverse a hash.
So, either someone turned it off, or the people who wrote this board's software (http://www.simplemachines.org/) don't care about security all that much, or there was some pointy-haird-boss involved where he shouldn't have been.
* I know that PHPBB, PHPNUKE, Yabb, etc do this, at least. |
[quote author=The Happy Friar link=topic=965.msg6861#msg6861 date=1228531406]
an FYI, nothing in e-mail is encrypted normally.
Which is why passwords shouldn't be mailed... after all, you type it in twice, usually, so if you don't remember it... uh... |
I don't think that SMF store the password in plaintext or a decryptable way, this email can be created just after account creation using data you have entered.
Maybe this email functionnality can be disabled.
A lot of website use SMF, I think that if there was this king of security break, SMF should not exist anymore. |
Pretty much every web forum is full of security holes.
You shouldn't use passwords on forums and other silly websites that matter, and you should assume the account can be easily compromised. Because it can.
Changing the behavior of the initial email isn't going to make SimpleMachines suddenly secure, so you should just take care not to give it sensitive information. |
You are right, this forum doesn't need to be sent anything sensetive. But there is no excuse for a password to ever be sent from a forum in cleartext. Sorry. |
BCP in this case should be telling the user to "remember your password or write it down in a safe place", which at least makes it a social engineering problem (i.e. post-it notes on screens) rather than a digital security one.
NEVER e-mail plaintext passwords unless they are temporary (e.g. activation codes or one-shot "forgotten password" verification codes).
Just because phpBB does it, it's not a good idea. There's plenty of things phpBB does that are not good ideas at all. Popularity and bandwagoning go hand-in-hand, but thinking for yourself can be a better idea at times.
Generally, it's a MAJOR security issue to store plaintext passwords. Or passwords at all. Having your password saved in your inbox or in the forum's database is as bad as saving your PIN on your credit card.
The BCP for password verification is to store a hash (non-unique, but the chances of guessing a second match are pretty unimpressive) and then check the submitted password against it. Obviously the user-submitted password is plaintext, but that's really an issue of client-side security and provided you don't have an SSL connection available, that's just a risk you can't avoid.
Sorry, plaintext passwords are pet peeve of mine. |
You are viewing a static copy of the old 2DBoy forum, which closed in 2010. It is preserved here for historical interest, but it is not possible to reply to topics. For more recent discussion about World of Goo, visit our new forum.