Just signed up for this forum, was annoyed to see that my password was emailed to me in plaintext in the registration mail. Hopefully this isn’t being saved in the forum database plaintext…
With the other security measures in place (like the human verification form after clicking on the link in the email) this seems to be a fairly glaring issue.
That being said, thanks for running the forum! Please take this as a friendly suggestion.
I am sure its not saved as plain text.
In fact, I am almost certain that if it is saved in the database its like encoded well.
Plus, not sure what the big deal is about it anyways. Not like someone could do much
with just your email address. The most I could see is random spam of advertisements which
you can just mark as spam but I really doubt JGO would do that.
So yea, chillax bro.
SMF’s security in general is pretty slipshod (and pretty much all forum software sucks), but I’m sure Riven has been doing a heroic job in attacking the worst of it. I hope you’re not reusing any passwords in general, and especially not on forums. If the communication channel to your email isn’t secure, you have way bigger problems than exposing a forum password.
Everything I use has a different password for just such a reason; and I take all of the precautions I know about and/or reasonably can do without actually disconnecting myself 
That being said I have no control over the communication channel of the e-mail outbound from the forum server. My communication channel to my server is secure, but the rest of the internet I can’t fix 
I know most forums are lax in security, but that doesn’t mean I’m not going to offer some suggestions when I see an easily-fixed problem. (it should be like a 60 second fix: remove that line from the “user-confirmation” email; save; deploy; done)
I’m not like raging upset or anything was just slightly miffed at seeing the password I just typed displayed to me on my screen (imagine you were typing your password in somewhere, and instead of seeing ‘●●●●●●●●●’ you see ‘123456789’ you’d be probably mildly irritated). I’ll say, I was as upset at seeing my password as I would be from having dropped a piece of food I was eating. It’s just “aww, man… not cool”.
Shane, it’s not my e-mail address I’m concerned about, it’s the password. IF I used that password for other things (which I don’t, but a lot of people do) and someone got a hold of it, they could do some nasty things. My e-mail got broken into a few years ago (before I took more precautions) and it was really annoying to deal with all the fallout from it.
I actually thought the exact same thing when I signed up for the forums. There really isn’t any reason to email a password to the person who just entered it. If they managed to type the same thing twice in a row, they should be able to remember it just long enough to log in.
This is a internet forum. If you seriously think that any such forum provides better security than plan text passwords in emails you are very naive. Also think about what its for. There is little point having bank level security… not that some banks don’t have security this bad too.
Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much.
Disagree. Defence in depth. We should all educate users about using different passwords on different sites, and in addition we should all ensure that software we write or maintain doesn’t expose passwords.
[quote]Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much.
[/quote]
There is quite a bit of merit. It protects people who sign up once and never come back; and it protects against compromise of a backup of the database (e.g. a disk which is badly disposed of).
I never claimed or assumed that forums are supposed to provide bank level security.
What I am saying is: there is a very simple change that would (if ever so) slightly improve the security of the site, it’d make (at least some) of your users happy, it would take literally a minute to implement, there are no downsides.
Why some users here are complaining about me offering such a suggestion is confounding… especially in a forum regarding software development (we’re all here to learn and improve right? not just troll new users?)
Mods/site-owners, any irritation in my posts here is regarding the replies from people. My original post is just a friendly suggestion to improve the site.
Anyway, that’s all I’m going to post here.
Well yea but it kinda seemed like you were to me.
Mostly with how you jumped at just because in the email it sent you it had your email contained in it in text you assumed that it was
stored in the database as I text.
They could have your email encoded so that if someone hacked the site and got it, it may look like a jumbled mess of letters. I am sure
JGO “if they do encode in any way, im just making an example” have a way to decode it and send it out.
but fi they hacked the site it should be easy enough to check sent box… unless if that is non-existent.
Why would any site keep a record of the activation email they send out to new users?
I think when you reset your password, it also sends you a new password in plaintext that lasts indefinitely instead of a one-time reset link. SMF is best secured by unplugging the machine that runs it.
thats why I added the last part, I am not very savvy of SMF 
why would anyone on earth save passwords as plaintext - though it happens
when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)
incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn’t even occur to me
after that I wrote sha512 stuff for passwords, easy to use and all
so I dont know what the big deal is with pages and security
in case of md5 hash, its only 1 line of code D:
and writing your own sha512 isnt very much either - and you just write is once anyway.
If you want really securely hashed passwords, use bcrypt, which isn’t crackable in seconds with rainbow tables on a GPU like md5 is. PHP has built-in support for using bcrypt (blowfish) in its crypt() function, using BSD’s insane “modular crypt” API. For once I can’t blame the API on PHP, but PHP of course manages to do one worse in that if it doesn’t support the requested implementation, it falls back to using a terrible built in crypt function instead, making it both insecure and unportable!
Ultimately though, if your password database is compromised, hashing only slows attackers down. You still better invalidate every password.
This is exactly the false sense of security many developers have. Hashing passwords is not enough, regardless of the algorithm. There are rainbow tables that you feed the hash into, and it (often) simply gives you the original password.
I guess you’re not familiar with the SMF sourcecode.
It’s a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes.
Going to ‘fix’ it now, though.
Edit:
It’s also worth noting that SMF is laughable regarding security. I just stumbled on this code:
$request = db_query("
SELECT ...
FROM ...
WHERE ... = '$_POST[...]'
LIMIT 1");
I mean, it’s littered with these kinds of potential SQL injections.
I’m kinda not following here…what exactly are you “fixing”? Are you not sending the password to the user’s email address anymore?
Hahaha he just failed at correctly setting up the URL tag
When you fix them, the first link gives me a 404 and the second link is to a fraud/malware “satellitedirect” site