Your Passwort behavior

[KFlash]

I find your behavior with the board passwords absolut stupid.
First you force me to create a safe password and then you send it CLEAR TEXT by EMAIL to me!? Absolut brilliant!

Why don't you send me a dummi password and force me to change it on the first login? This is much better than sending real password in cleartext through the web.

At least you should WARN your users that you will send the password to them by mail.

[skellr]

http://www.phpbb.com/
Go here and shake the monkey cage.

[lav_coyote25]

before a shooting war starts... lets not use harsh language please. if there is a problem with the site - as kamaze stated go to the source of the problem - which in this case is the phpbb coders. obviously they have missed something that you have caught - i am just wondering how many people using the same software have missed this oh so obvious glitch.

thanks for the feedback.

[Kreuvf]

Why don't you send me a dummi password and force me to change it on the first login? This is much better than sending real password in cleartext through the web.

Without encryption both ways suck as both times you send your real password in cleartext through the web. Maybe that's why the phpBB developers decided to go this way.

[DevUrandom]

As it currently looks to me, we cannot disable that send-password feature without touching the code.

"Best" way is to never send the password and not store it anywhere either. Maybe you want to tell that the phpBB devs.
And if I am not mistaken, you send the password unencrypted anyway, when logging into the forums. So it does not matter that much, since one or the other channel is unencrypted anyway.
What helps against this? Do not use important passwords for web-authentication...

[Kamaze]

I can change the E-Mail template to remove the password from it.

[Kreuvf]

Do not use important passwords for web-authentication...

Better: Never use the same password twice. :X

[EvilGuru]

I find your behavior with the board passwords [sic] absolut stupid.
First you force me to create a safe password and then you send it CLEAR TEXT by EMAIL to me!? Absolut brilliant!

Actually, it is safer to send it via e-mail than it is over plain HTTP.

Fact is if your mail server is competent in the least it will support TLS. When the wz2100.net MTA opens a connection to your MTA it will see that it supports TLS and use it. As a result the message is encrypted.

Next, if your IMAP/POP3 server and mail client is competent in the least SSL will be used to transfer/copy the message to your computer.

Now, that seems quite secure to me. (Unless you can not trust the location where your mail is kept/stored, in which case you've got bigger problems.)

Furthermore, the password reset functionality also makes use of e-mail. It generates a code in the form of a link which is then e-mailed to you.

It is only insecure if others have access to your e-mails, again, in which case you've got bigger problems.

Regards, Freddie.