Plain text password sent on signup!

Have something to say about forums.debian.net itself?

Plain text password sent on signup!

Postby KuleRucket » 2010-01-17 12:49

I just signed up to the forum and I'm a little annoyed that my password has been sent to me in plain text in an email. As we all know, email isn't secure and I use this same password in 20 odd different forums, trac databases etc.

Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords

WTF?
KuleRucket
 
Posts: 5
Joined: 2010-01-17 12:38

Re: Plain text password sent on signup!

Postby Pick2 » 2010-01-17 14:48

Let us be honest here , your real security problem is:
KuleRucket wrote:... I use this same password in 20 odd different forums ...

What you really need to do for security is:
KuleRucket wrote:Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords

Make sure you change them to a Different password for each.
You are Welcome
User avatar
Pick2
 
Posts: 797
Joined: 2007-07-07 13:31
Location: Decatur Il

Re: Plain text password sent on signup!

Postby KuleRucket » 2010-01-17 17:01

Nevertheless it's still a problem with the forum.
KuleRucket
 
Posts: 5
Joined: 2010-01-17 12:38

Re: Plain text password sent on signup!

Postby Raffles10 » 2010-01-17 17:26

Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?
Debian Squeeze + KDE 4.4.4 + AMD Athlon™ 64 X2 Dual Core Processor 6000 + nVidia GeForce 8600
User avatar
Raffles10
 
Posts: 192
Joined: 2008-12-09 16:36
Location: London, UK

Re: Plain text password sent on signup!

Postby ComputerBob » 2010-01-17 17:47

Raffles10 wrote:Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?

I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)
ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 22 Million Views
My Ministry
My Massive Stroke
_________________
Your Life Matters
User avatar
ComputerBob
 
Posts: 1199
Joined: 2007-11-30 04:49
Location: The Beautiful Sunshine State

Re: Plain text password sent on signup!

Postby julian67 » 2010-01-17 19:47

ComputerBob wrote:I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)


But in this case it's the front door at home, the back door, the garage, the office, the shed, the store, the neighbours' house you look after when they are away, your parents' house, your child's house, your safe deposit box, your gym locker and your car all sharing the same key :D

Equally pertinent is that even if every board used 'secure' methods to inform the user of the password it's still crazy to use the same password for everything. The fact that board X uses a 'secure' method to communicate the password and maybe even has no access to encrypted passwords doesn't mean that the admins are trustworthy or competent or that their board software is even slightly secure against attack, or that they used a reasonable method of password encryption or that they keep the salt value somewhere different than the database of passwords.

Plain text is fine imo for a board like this because nobody is required to be identifiable or to submit anything more than an email address. It's not like it's our banking details or amazon one-click ordering cookies......also there is no illegitimate activity which would excite the interest of lawyers or law enforcement like a p2p or cracking board. Basically we're a very long way from being a juicy target. If your log-in here is not used at 20 other places and becomes compromised then what happens? Maybe another spam in the spam folder of your free mail account....oh noes. Nothing valuable or necessarily personally identifiable or in any way private is asked of anyone and the policy is entirely appropriate.
Wisdom from my inbox: "do not mock at your pottenocy"
User avatar
julian67
 
Posts: 4648
Joined: 2007-04-06 14:39
Location: Just hanging around

Re: Plain text password sent on signup!

Postby neddie » 2010-01-17 20:28

I would say that "WTF?" is a very valid response to this, if that wasn't made clear during the signing up (I can't remember whether it was obvious that was going to happen or not).

It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.

Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.
User avatar
neddie
 
Posts: 380
Joined: 2009-09-14 07:57

Re: Plain text password sent on signup!

Postby nadir » 2010-01-17 20:40

if someone has got the strong urge to post in my name (which ain't my name) i may send him my password so he can do so. he would be able to post on all forums in my names. so what?

are you all kidding? security questions related to forum-accounts?

btw: it is not unusual to do so (send it in plain text)
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
User avatar
nadir
 
Posts: 5964
Joined: 2009-10-05 22:06
Location: away

Re: Plain text password sent on signup!

Postby julian67 » 2010-01-17 20:50

Nobody has to remember lots of passwords, there are plenty of tools for generating and securely storing passwords, and having them passed to the browser as required.
Wisdom from my inbox: "do not mock at your pottenocy"
User avatar
julian67
 
Posts: 4648
Joined: 2007-04-06 14:39
Location: Just hanging around

Re: Plain text password sent on signup!

Postby kce » 2010-01-17 20:52

Yeah, it's not an ideal setup, but using SSL/TLS is probably just too expensive for the forum. Think of the problem the other way around: what do you stand to lose if someone gets your forum password? Probably not very much, the user name will be banned after it's used to spam the board and that's that. However, if the same password is used for your email, online banking, etc. then you stand to lose substantially more.

neddie wrote:It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.


I think Neddie's perfectly right. Ideally you should have a separate password for everything. A basic principle of security is that the more you share the secret the less of a secret it becomes, but this would quickly become un-manageable. I prefer to group my passwords by tiers: I have one that I use for forums and mailing-lists (in which all transactions involving the password are plaintext). I have separate ones for separate email accounts (business, correspondence, and a spam account) and finally all the important stuff like banking each has an individual password for each institution that is not re-used anywhere. A strategy like this will allow you to achieve some level of compartmentalization without having too much management overhead (I just keep a list of them in an GPG encrypted file).
More paranoid than AMLJ!
User avatar
kce
 
Posts: 265
Joined: 2008-10-31 16:48

Re: Plain text password sent on signup!

Postby KuleRucket » 2010-01-17 23:20

I understand the points about not using the same key for all accounts, but then I never said that I did. I'm not talking about banking accounts, loans, shares or even email accounts. Just the ones that don't really matter that much.

I'm still very surprised that it sent me the password this way and I'm a little surprised with the amount of attitude that has come back. It's a valid concern.
KuleRucket
 
Posts: 5
Joined: 2010-01-17 12:38

Re: Plain text password sent on signup!

Postby nadir » 2010-01-18 06:43

I'm a little surprised with the amount of attitude that has come back. It's a valid concern.

cause it is usual to do so? thats from my deluge account:
Welcome to forum.deluge-torrent.org forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: me_is_me
Password: 6_is3x2/0

just *one* example of several/lots.
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
User avatar
nadir
 
Posts: 5964
Joined: 2009-10-05 22:06
Location: away

Re: Plain text password sent on signup!

Postby milomak » 2010-01-18 08:27

I have found that I have setup a few different passwords. Basically a setup following the pattern below:

Forums such as this get a generic, fairly weak password

Banking – very secure strong password

Sites which might have some sensitive personal data – a slightly weaker variation of the above (still fairly strong)


And tbf, it is very common for forums such as this to send an email with username and password in plain text. I am surprised the OP is even raising it.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: Lenovo ideapad Y700-15ISK - Sid, Win10, Solus
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
milomak
 
Posts: 2079
Joined: 2009-06-09 22:20

Re: Plain text password sent on signup!

Postby Jackiebrown » 2010-01-19 15:40

I do the same as milomak.

Banks, persona; stuff (paypal and sites that have access to my banking info - newegg. pizza hut, etc) strong apsswords.

Forums - minium password not easily guessed but one that fits whatever board's policy I am on.
User avatar
Jackiebrown
 
Posts: 1276
Joined: 2007-01-02 04:46
Location: San Antonio, TX

Re: Plain text password sent on signup!

Postby saulgoode » 2010-01-19 16:09

neddie wrote:Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.

I agree.

nadir wrote:
I'm a little surprised with the amount of attitude that has come back. It's a valid concern.

cause it is usual to do so? thats from my deluge account:
Welcome to forum.deluge-torrent.org forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: me_is_me
Password: 6_is3x2/0

just *one* example of several/lots.

If the password is auto-generated by the website, I would agree it is not that great a concern; but if the forums are e-mailing a user-provided password in cleartext, the user should be forewarned.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1545
Joined: 2007-10-22 11:34

Next

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable