Debian User Forums

[KuleRucket]

I just signed up to the forum and I'm a little annoyed that my password has been sent to me in plain text in an email. As we all know, email isn't secure and I use this same password in 20 odd different forums, trac databases etc.

Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords

WTF?

[Pick2]

Let us be honest here , your real security problem is:

... I use this same password in 20 odd different forums ...

What you really need to do for security is:

Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords

Make sure you change them to a Different password for each.
You are Welcome

[KuleRucket]

Nevertheless it's still a problem with the forum.

[Raffles10]

Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?

[ComputerBob]

Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?

I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)

[julian67]

I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)

But in this case it's the front door at home, the back door, the garage, the office, the shed, the store, the neighbours' house you look after when they are away, your parents' house, your child's house, your safe deposit box, your gym locker and your car all sharing the same key

Equally pertinent is that even if every board used 'secure' methods to inform the user of the password it's still crazy to use the same password for everything. The fact that board X uses a 'secure' method to communicate the password and maybe even has no access to encrypted passwords doesn't mean that the admins are trustworthy or competent or that their board software is even slightly secure against attack, or that they used a reasonable method of password encryption or that they keep the salt value somewhere different than the database of passwords.

Plain text is fine imo for a board like this because nobody is required to be identifiable or to submit anything more than an email address. It's not like it's our banking details or amazon one-click ordering cookies......also there is no illegitimate activity which would excite the interest of lawyers or law enforcement like a p2p or cracking board. Basically we're a very long way from being a juicy target. If your log-in here is not used at 20 other places and becomes compromised then what happens? Maybe another spam in the spam folder of your free mail account....oh noes. Nothing valuable or necessarily personally identifiable or in any way private is asked of anyone and the policy is entirely appropriate.

[neddie]

I would say that "WTF?" is a very valid response to this, if that wasn't made clear during the signing up (I can't remember whether it was obvious that was going to happen or not).

It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.

Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.

[nadir]

if someone has got the strong urge to post in my name (which ain't my name) i may send him my password so he can do so. he would be able to post on all forums in my names. so what?

are you all kidding? security questions related to forum-accounts?

btw: it is not unusual to do so (send it in plain text)

[julian67]

Nobody has to remember lots of passwords, there are plenty of tools for generating and securely storing passwords, and having them passed to the browser as required.

[kce]

Yeah, it's not an ideal setup, but using SSL/TLS is probably just too expensive for the forum. Think of the problem the other way around: what do you stand to lose if someone gets your forum password? Probably not very much, the user name will be banned after it's used to spam the board and that's that. However, if the same password is used for your email, online banking, etc. then you stand to lose substantially more.

It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.

I think Neddie's perfectly right. Ideally you should have a separate password for everything. A basic principle of security is that the more you share the secret the less of a secret it becomes, but this would quickly become un-manageable. I prefer to group my passwords by tiers: I have one that I use for forums and mailing-lists (in which all transactions involving the password are plaintext). I have separate ones for separate email accounts (business, correspondence, and a spam account) and finally all the important stuff like banking each has an individual password for each institution that is not re-used anywhere. A strategy like this will allow you to achieve some level of compartmentalization without having too much management overhead (I just keep a list of them in an GPG encrypted file).

[KuleRucket]

I understand the points about not using the same key for all accounts, but then I never said that I did. I'm not talking about banking accounts, loans, shares or even email accounts. Just the ones that don't really matter that much.

I'm still very surprised that it sent me the password this way and I'm a little surprised with the amount of attitude that has come back. It's a valid concern.

[nadir]

I'm a little surprised with the amount of attitude that has come back. It's a valid concern.

cause it is usual to do so? thats from my deluge account:

Welcome to forum.deluge-torrent.org forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: me_is_me
Password: 6_is3x2/0

just *one* example of several/lots.

[milomak]

I have found that I have setup a few different passwords. Basically a setup following the pattern below:

Forums such as this get a generic, fairly weak password

Banking – very secure strong password

Sites which might have some sensitive personal data – a slightly weaker variation of the above (still fairly strong)

And tbf, it is very common for forums such as this to send an email with username and password in plain text. I am surprised the OP is even raising it.

[Jackiebrown]

I do the same as milomak.

Banks, persona; stuff (paypal and sites that have access to my banking info - newegg. pizza hut, etc) strong apsswords.

Forums - minium password not easily guessed but one that fits whatever board's policy I am on.

[saulgoode]

Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.

I agree.

I'm a little surprised with the amount of attitude that has come back. It's a valid concern.

cause it is usual to do so? thats from my deluge account:

Welcome to forum.deluge-torrent.org forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: me_is_me
Password: 6_is3x2/0

just *one* example of several/lots.

If the password is auto-generated by the website, I would agree it is not that great a concern; but if the forums are e-mailing a user-provided password in cleartext, the user should be forewarned.