Forum passwords emailed in plain text

If you have any 'mechanical' forum or Joomla! sites related issues/suggestions, please contact the Sites & Infrastructure Workgroup here.

Moderators: brad, Tonie

Forum rules
Forum Rules
READ ME <-- please read before posting, this means YOU.
Post Reply
User avatar
EricaJoy
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Mar 01, 2008 7:10 pm
Location: Brooklyn, NY
Contact:
Contact EricaJoy

Forum passwords emailed in plain text

Post by EricaJoy » Sat Mar 01, 2008 7:23 pm

As is probably obvious, I just registered for the forum (congrats on the migration from SMF to phpbb3 btw). I received my activation email and horrors of horrors, there is my password in plain text. As a wise person once told me, email is more like a postcard than a letter so that password is now rendered null and void. Thankfully, I only use it on this site but what of those people who use the same password everywhere?

Is there a reason the passwords are emailed in plain text or is this an oops?
Top
User avatar
RobInk
Joomla! Guru
Joomla! Guru
Posts: 517
Joined: Thu Aug 18, 2005 10:41 am
Location: The Netherlands

Re: Forum passwords emailed in plain text

Post by RobInk » Sat Mar 01, 2008 7:33 pm

Hi,

We are looking into this, thanks for reporting it.
Regards Robin - Sites & Infrastructure
Top
User avatar
brad
Joomla! Hero
Joomla! Hero
Posts: 2212
Joined: Fri Aug 12, 2005 12:38 am
Skype: tested
Location: Sydney - Australia
Contact:
Contact brad

Re: Forum passwords emailed in plain text

Post by brad » Sat Mar 01, 2008 8:10 pm

As the email says, it so you can save this for future use.

In any case, this s something very simple for us to remove. I am just not sure that is is a security risk as such. I see similar behavior on many other websites.

Feedback?
Brad Baker - Joomla! Core Team, Sites & Infrastructure.
http://www.rochen.com - Managed Dedicated, Reseller & Multiple Domain Hosting.
http://www.joomlatutorials.com <-- Joomla! 1.5 & 1.0.x
^New Joomla 1.5 Tutorials are out!
Top
User avatar
EricaJoy
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Mar 01, 2008 7:10 pm
Location: Brooklyn, NY
Contact:
Contact EricaJoy

Re: Forum passwords emailed in plain text

Post by EricaJoy » Sat Mar 01, 2008 8:40 pm

brad wrote:As the email says, it so you can save this for future use.
Saving a password in email for future use isn't really the best idea. Essentially, if a person can't remember their password, they should use the password recovery methods you guys already have implemented.
brad wrote:In any case, this s something very simple for us to remove. I am just not sure that is is a security risk as such.
Its not really much of a security risk on its own. When you start looking at what can happen as a result of the password being compromised (again in the case of those that use the same password everywhere) the possible risks increase.
brad wrote:I see similar behavior on many other websites.
Yeah, I see the same on a lot of other websites too, but I hold Joomla! to a higher standard. :)
Top
User avatar
brad
Joomla! Hero
Joomla! Hero
Posts: 2212
Joined: Fri Aug 12, 2005 12:38 am
Skype: tested
Location: Sydney - Australia
Contact:
Contact brad

Re: Forum passwords emailed in plain text

Post by brad » Sat Mar 01, 2008 8:53 pm

This forum uses phpBB, however Joomla has similar behavior.
That being said, if users don't take basic security measures, like using different passwords for different online services is that the services problem? Aren't the users to blame here?
Brad Baker - Joomla! Core Team, Sites & Infrastructure.
http://www.rochen.com - Managed Dedicated, Reseller & Multiple Domain Hosting.
http://www.joomlatutorials.com <-- Joomla! 1.5 & 1.0.x
^New Joomla 1.5 Tutorials are out!
Top
User avatar
EricaJoy
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Mar 01, 2008 7:10 pm
Location: Brooklyn, NY
Contact:
Contact EricaJoy

Re: Forum passwords emailed in plain text

Post by EricaJoy » Sat Mar 01, 2008 8:58 pm

brad wrote:This forum uses phpBB, however Joomla has similar behavior.
That being said, if users don't take basic security measures, like using different passwords for different online services is that the services problem? Aren't the users to blame here?
Yes, but users never behave like they should. I know its not fun to save users from themselves but if you are able to, why not?
Top
User avatar
brad
Joomla! Hero
Joomla! Hero
Posts: 2212
Joined: Fri Aug 12, 2005 12:38 am
Skype: tested
Location: Sydney - Australia
Contact:
Contact brad

Re: Forum passwords emailed in plain text

Post by brad » Sat Mar 01, 2008 9:02 pm

I am still trying to work out how this is all a security risk. I'm open to being convinced, but as yet I am not. It's not like people are storing their banking details on this forum.

Perhaps once you have been a member around here for a while you will find that we go to great lengths to help as many users are possible.
Brad Baker - Joomla! Core Team, Sites & Infrastructure.
http://www.rochen.com - Managed Dedicated, Reseller & Multiple Domain Hosting.
http://www.joomlatutorials.com <-- Joomla! 1.5 & 1.0.x
^New Joomla 1.5 Tutorials are out!
Top
User avatar
EricaJoy
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Mar 01, 2008 7:10 pm
Location: Brooklyn, NY
Contact:
Contact EricaJoy

Re: Forum passwords emailed in plain text

Post by EricaJoy » Sat Mar 01, 2008 10:03 pm

brad wrote:I am still trying to work out how this is all a security risk. I'm open to being convinced, but as yet I am not. It's not like people are storing their banking details on this forum.
Gallant registers for the Joomla! forum. Gallant uses the same password that he uses for his online banking account. Gallant doesn't know that this isn't the best idea and thinks his passwords are always safe.

Gallant's password is emailed to him. Now that password is easily associated with Gallant's email address.

Nefarious Goofus sniffs this email (not hard, its in plain text!) and logs into every online banking site available with the email address and password combination. Goofus manages to find Gallants bank account! Goofus then transfers all of Gallant's money to an offshore account in the Caymans and flees the US with all of Gallant's hard earned money.

Yes, this is a worst case scenario but its still feasible.
brad wrote:Perhaps once you have been a member around here for a while you will find that we go to great lengths to help as many users are possible.
...and you do a great job at it. :) If you guys feel as though its in the users best interests to email their passwords, I defer to you.
Top
User avatar
brad
Joomla! Hero
Joomla! Hero
Posts: 2212
Joined: Fri Aug 12, 2005 12:38 am
Skype: tested
Location: Sydney - Australia
Contact:
Contact brad

Re: Forum passwords emailed in plain text

Post by brad » Sat Mar 01, 2008 10:10 pm

I have never seen an online banking site that uses the persons email address as the login. In any case, thanks for your inputs, I'm still not convinced. We'll see if anyone else feels the same way.
Brad Baker - Joomla! Core Team, Sites & Infrastructure.
http://www.rochen.com - Managed Dedicated, Reseller & Multiple Domain Hosting.
http://www.joomlatutorials.com <-- Joomla! 1.5 & 1.0.x
^New Joomla 1.5 Tutorials are out!
Top
User avatar
EricaJoy
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Mar 01, 2008 7:10 pm
Location: Brooklyn, NY
Contact:
Contact EricaJoy

Re: Forum passwords emailed in plain text

Post by EricaJoy » Sat Mar 01, 2008 10:19 pm

brad wrote:I have never seen an online banking site that uses the persons email address as the login. In any case, thanks for your inputs, I'm still not convinced. We'll see if anyone else feels the same way.
PayPal does actually.
Top
Post Reply

Return to “Sites & Infrastructure - Feedback/Information”