Your Passwort behavior

Website issues & feedback. Constructive criticism is welcome.
(Guest posting is allowed under certain circumstances)
If you have a problem with certain individuals, then PM the Staff account.
Post Reply
KFlash
New user
Posts: 2
Joined: 30 Jul 2008, 23:59

Your Passwort behavior

Post by KFlash » 31 Jul 2008, 00:09

I find your behavior with the board passwords absolut stupid.
First you force me to create a safe password and then you send it CLEAR TEXT by EMAIL to me!? Absolut brilliant!

Why don't you send me a dummi password and force me to change it on the first login? This is much better than sending real password in cleartext through the web.

At least you should WARN your users that you will send the password to them by mail.

User avatar
skellr
Trained
Trained
Posts: 72
Joined: 17 Aug 2007, 15:58

Re: Your Passwort behavior

Post by skellr » 31 Jul 2008, 01:07

http://www.phpbb.com/
Go here and shake the monkey cage. :)

User avatar
lav_coyote25
Professional
Professional
Posts: 3434
Joined: 08 Aug 2006, 23:18

Re: Your Passwort behavior

Post by lav_coyote25 » 31 Jul 2008, 06:57

before a shooting war starts... lets not use harsh language please. if there is a problem with the site - as kamaze stated go to the source of the problem - which in this case is the phpbb coders. obviously they have missed something that you have caught - i am just wondering how many people using the same software have missed this oh so obvious glitch.

thanks for the feedback. :D

User avatar
Kreuvf
Global Moderator
Global Moderator
Posts: 244
Joined: 22 Sep 2006, 20:56
Contact:

Re: Your Passwort behavior

Post by Kreuvf » 31 Jul 2008, 08:44

KFlash wrote:Why don't you send me a dummi password and force me to change it on the first login? This is much better than sending real password in cleartext through the web.
Without encryption both ways suck as both times you send your real password in cleartext through the web. Maybe that's why the phpBB developers decided to go this way.
Contact only via [url=https://warzone2100.de/impressum.php]e-mail[/url]. GPG encryption supported ([url=https://gpg.kreuvf.de/kreuvf2015.asc]my key[/url]).

User avatar
DevUrandom
Regular
Regular
Posts: 1690
Joined: 31 Jul 2006, 23:14

Re: Your Passwort behavior

Post by DevUrandom » 31 Jul 2008, 09:55

As it currently looks to me, we cannot disable that send-password feature without touching the code.

"Best" way is to never send the password and not store it anywhere either. Maybe you want to tell that the phpBB devs. ;)
And if I am not mistaken, you send the password unencrypted anyway, when logging into the forums. So it does not matter that much, since one or the other channel is unencrypted anyway.
What helps against this? Do not use important passwords for web-authentication...

Kamaze
Regular
Regular
Posts: 1017
Joined: 30 Jul 2006, 15:23

Re: Your Passwort behavior

Post by Kamaze » 31 Jul 2008, 11:14

I can change the E-Mail template to remove the password from it.
We all have the same heaven, but not the same horizon.

User avatar
Kreuvf
Global Moderator
Global Moderator
Posts: 244
Joined: 22 Sep 2006, 20:56
Contact:

Re: Your Passwort behavior

Post by Kreuvf » 31 Jul 2008, 15:51

DevUrandom wrote:Do not use important passwords for web-authentication...
Better: Never use the same password twice. :X
Contact only via [url=https://warzone2100.de/impressum.php]e-mail[/url]. GPG encryption supported ([url=https://gpg.kreuvf.de/kreuvf2015.asc]my key[/url]).

EvilGuru
Regular
Regular
Posts: 615
Joined: 23 Jun 2007, 22:41

Re: Your Passwort behavior

Post by EvilGuru » 31 Jul 2008, 16:23

I find your behavior with the board passwords [sic] absolut stupid.
First you force me to create a safe password and then you send it CLEAR TEXT by EMAIL to me!? Absolut brilliant!
Actually, it is safer to send it via e-mail than it is over plain HTTP.

Fact is if your mail server is competent in the least it will support TLS. When the wz2100.net MTA opens a connection to your MTA it will see that it supports TLS and use it. As a result the message is encrypted.

Next, if your IMAP/POP3 server and mail client is competent in the least SSL will be used to transfer/copy the message to your computer.

Now, that seems quite secure to me. (Unless you can not trust the location where your mail is kept/stored, in which case you've got bigger problems.)

Furthermore, the password reset functionality also makes use of e-mail. It generates a code in the form of a link which is then e-mailed to you.

It is only insecure if others have access to your e-mails, again, in which case you've got bigger problems.

Regards, Freddie.

Post Reply