Sandbox

As is probably obvious, I just registered for the forum (congrats on the migration from SMF to phpbb3 btw). I received my activation email and horrors of horrors, there is my password in plain text. As a wise person once told me, email is more like a postcard than a letter so that password is now rendered null and void. Thankfully, I only use it on this site but what of those people who use the same password everywhere?

Is there a reason the passwords are emailed in plain text or is this an oops?

Hi,

We are looking into this, thanks for reporting it.

As the email says, it so you can save this for future use.

In any case, this s something very simple for us to remove. I am just not sure that is is a security risk as such. I see similar behavior on many other websites.

Feedback?

brad wrote:As the email says, it so you can save this for future use.

Saving a password in email for future use isn't really the best idea. Essentially, if a person can't remember their password, they should use the password recovery methods you guys already have implemented.

brad wrote:In any case, this s something very simple for us to remove. I am just not sure that is is a security risk as such.

Its not really much of a security risk on its own. When you start looking at what can happen as a result of the password being compromised (again in the case of those that use the same password everywhere) the possible risks increase.

brad wrote:I see similar behavior on many other websites.

Yeah, I see the same on a lot of other websites too, but I hold Joomla! to a higher standard.

This forum uses phpBB, however Joomla has similar behavior.
That being said, if users don't take basic security measures, like using different passwords for different online services is that the services problem? Aren't the users to blame here?

brad wrote:This forum uses phpBB, however Joomla has similar behavior.
That being said, if users don't take basic security measures, like using different passwords for different online services is that the services problem? Aren't the users to blame here?

Yes, but users never behave like they should. I know its not fun to save users from themselves but if you are able to, why not?

I am still trying to work out how this is all a security risk. I'm open to being convinced, but as yet I am not. It's not like people are storing their banking details on this forum.

Perhaps once you have been a member around here for a while you will find that we go to great lengths to help as many users are possible.

brad wrote:I am still trying to work out how this is all a security risk. I'm open to being convinced, but as yet I am not. It's not like people are storing their banking details on this forum.

Gallant registers for the Joomla! forum. Gallant uses the same password that he uses for his online banking account. Gallant doesn't know that this isn't the best idea and thinks his passwords are always safe.

Gallant's password is emailed to him. Now that password is easily associated with Gallant's email address.

Nefarious Goofus sniffs this email (not hard, its in plain text!) and logs into every online banking site available with the email address and password combination. Goofus manages to find Gallants bank account! Goofus then transfers all of Gallant's money to an offshore account in the Caymans and flees the US with all of Gallant's hard earned money.

Yes, this is a worst case scenario but its still feasible.

brad wrote:Perhaps once you have been a member around here for a while you will find that we go to great lengths to help as many users are possible.

...and you do a great job at it. If you guys feel as though its in the users best interests to email their passwords, I defer to you.

I have never seen an online banking site that uses the persons email address as the login. In any case, thanks for your inputs, I'm still not convinced. We'll see if anyone else feels the same way.

brad wrote:I have never seen an online banking site that uses the persons email address as the login. In any case, thanks for your inputs, I'm still not convinced. We'll see if anyone else feels the same way.

PayPal does actually.