Hello Guest it is October 16, 2019, 01:46:07 PM

Author Topic: Passwords are sent by email, stored as plain text  (Read 2828 times)

0 Members and 1 Guest are viewing this topic.

Passwords are sent by email, stored as plain text
« on: November 03, 2015, 11:17:39 AM »
Hey y'all, so your product is great but your forum is putting your customers at risk of their online data being compromised.

I just registered for your forum and received an email that included my password sent as plaintext. This is only possible if you all have the password stored in your database as text, rather than a hash. When passwords are stored in this way it means that, were your database to be compromised, every single user login and email would have the associated password conveniently visible to whoever gained access. I'm sure you know that many of your users likely use one password for many of their accounts, including the email they use to register with this forum.

Y'all need to fix this immediately.

For reference: http://plaintextoffenders.com/faq/devs

Thank much, be well.

Offline mc

*
  •  381 381
    • View Profile
Re: Passwords are sent by email, stored as plain text
« Reply #1 on: November 08, 2015, 05:06:17 AM »
The only time you'll get your password sent from SMF via email, is when you first register. There is an option to change it being emailed, however there are pros and cons to doing so.

All passwords are hashed when stored in the database, and are non-retrievable. The only way you could retrieve them is via brute force methods.