Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Plain text password sent on signup!
-
- Posts: 5
- Joined: 2010-01-17 12:38
Plain text password sent on signup!
I just signed up to the forum and I'm a little annoyed that my password has been sent to me in plain text in an email. As we all know, email isn't secure and I use this same password in 20 odd different forums, trac databases etc.
Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords
WTF?
Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords
WTF?
Re: Plain text password sent on signup!
Let us be honest here , your real security problem is:
You are Welcome
What you really need to do for security is:KuleRucket wrote:... I use this same password in 20 odd different forums ...
Make sure you change them to a Different password for each.KuleRucket wrote:Now if I want to be sure all of my accounts are still secure, I have to go and change 20 different passwords
You are Welcome
-
- Posts: 5
- Joined: 2010-01-17 12:38
Re: Plain text password sent on signup!
Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?
Debian Squeeze + KDE 4.4.4 + AMD Athlon™ 64 X2 Dual Core Processor 6000 + nVidia GeForce 8600
- ComputerBob
- Posts: 1181
- Joined: 2007-11-30 04:49
- Location: The Mountains of the Sunshine State
- Been thanked: 1 time
Re: Plain text password sent on signup!
I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)Raffles10 wrote:Not a problem for sensible people. I can understand having the same username but the same password for 20 forums ? Would you put the same lock on 20 doors ?
ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 23 Million Views
My Massive Stroke
Help! (off-topic)
_________________
Your Life Matters
ComputerBob.com - Nearly 6,000 Posts and 23 Million Views
My Massive Stroke
Help! (off-topic)
_________________
Your Life Matters
Re: Plain text password sent on signup!
But in this case it's the front door at home, the back door, the garage, the office, the shed, the store, the neighbours' house you look after when they are away, your parents' house, your child's house, your safe deposit box, your gym locker and your car all sharing the same keyComputerBob wrote: I would, if they were all doors on my house. (I know the point that you're trying to make, but I'm not sure that "doors" is a good example to use in this situation.)
Equally pertinent is that even if every board used 'secure' methods to inform the user of the password it's still crazy to use the same password for everything. The fact that board X uses a 'secure' method to communicate the password and maybe even has no access to encrypted passwords doesn't mean that the admins are trustworthy or competent or that their board software is even slightly secure against attack, or that they used a reasonable method of password encryption or that they keep the salt value somewhere different than the database of passwords.
Plain text is fine imo for a board like this because nobody is required to be identifiable or to submit anything more than an email address. It's not like it's our banking details or amazon one-click ordering cookies......also there is no illegitimate activity which would excite the interest of lawyers or law enforcement like a p2p or cracking board. Basically we're a very long way from being a juicy target. If your log-in here is not used at 20 other places and becomes compromised then what happens? Maybe another spam in the spam folder of your free mail account....oh noes. Nothing valuable or necessarily personally identifiable or in any way private is asked of anyone and the policy is entirely appropriate.
Wisdom from my inbox: "do not mock at your pottenocy"
Re: Plain text password sent on signup!
I would say that "WTF?" is a very valid response to this, if that wasn't made clear during the signing up (I can't remember whether it was obvious that was going to happen or not).
It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.
Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.
It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.
Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.
Re: Plain text password sent on signup!
if someone has got the strong urge to post in my name (which ain't my name) i may send him my password so he can do so. he would be able to post on all forums in my names. so what?
are you all kidding? security questions related to forum-accounts?
btw: it is not unusual to do so (send it in plain text)
are you all kidding? security questions related to forum-accounts?
btw: it is not unusual to do so (send it in plain text)
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
Re: Plain text password sent on signup!
Nobody has to remember lots of passwords, there are plenty of tools for generating and securely storing passwords, and having them passed to the browser as required.
Wisdom from my inbox: "do not mock at your pottenocy"
Re: Plain text password sent on signup!
Yeah, it's not an ideal setup, but using SSL/TLS is probably just too expensive for the forum. Think of the problem the other way around: what do you stand to lose if someone gets your forum password? Probably not very much, the user name will be banned after it's used to spam the board and that's that. However, if the same password is used for your email, online banking, etc. then you stand to lose substantially more.
I think Neddie's perfectly right. Ideally you should have a separate password for everything. A basic principle of security is that the more you share the secret the less of a secret it becomes, but this would quickly become un-manageable. I prefer to group my passwords by tiers: I have one that I use for forums and mailing-lists (in which all transactions involving the password are plaintext). I have separate ones for separate email accounts (business, correspondence, and a spam account) and finally all the important stuff like banking each has an individual password for each institution that is not re-used anywhere. A strategy like this will allow you to achieve some level of compartmentalization without having too much management overhead (I just keep a list of them in an GPG encrypted file).neddie wrote:It's all very well to say that everybody should have different passwords for each forum, but there is a limit to how many passwords one can remember and the number of passwords required for computer accounts / email / forums / bugzilla thingies / sourceforge / and so on is increasing rapidly.
More paranoid than AMLJ!
-
- Posts: 5
- Joined: 2010-01-17 12:38
Re: Plain text password sent on signup!
I understand the points about not using the same key for all accounts, but then I never said that I did. I'm not talking about banking accounts, loans, shares or even email accounts. Just the ones that don't really matter that much.
I'm still very surprised that it sent me the password this way and I'm a little surprised with the amount of attitude that has come back. It's a valid concern.
I'm still very surprised that it sent me the password this way and I'm a little surprised with the amount of attitude that has come back. It's a valid concern.
Re: Plain text password sent on signup!
cause it is usual to do so? thats from my deluge account:I'm a little surprised with the amount of attitude that has come back. It's a valid concern.
just *one* example of several/lots.Welcome to forum.deluge-torrent.org forums
Please keep this e-mail for your records. Your account information is as
follows:
----------------------------
Username: me_is_me
Password: 6_is3x2/0
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
Re: Plain text password sent on signup!
I have found that I have setup a few different passwords. Basically a setup following the pattern below:
And tbf, it is very common for forums such as this to send an email with username and password in plain text. I am surprised the OP is even raising it.Forums such as this get a generic, fairly weak password
Banking – very secure strong password
Sites which might have some sensitive personal data – a slightly weaker variation of the above (still fairly strong)
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
- Jackiebrown
- Posts: 1246
- Joined: 2007-01-02 04:46
- Location: San Antonio, TX
Re: Plain text password sent on signup!
I do the same as milomak.
Banks, persona; stuff (paypal and sites that have access to my banking info - newegg. pizza hut, etc) strong apsswords.
Forums - minium password not easily guessed but one that fits whatever board's policy I am on.
Banks, persona; stuff (paypal and sites that have access to my banking info - newegg. pizza hut, etc) strong apsswords.
Forums - minium password not easily guessed but one that fits whatever board's policy I am on.
Re: Plain text password sent on signup!
I agree.neddie wrote:Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.
If the password is auto-generated by the website, I would agree it is not that great a concern; but if the forums are e-mailing a user-provided password in cleartext, the user should be forewarned.nadir wrote:cause it is usual to do so? thats from my deluge account:I'm a little surprised with the amount of attitude that has come back. It's a valid concern.just *one* example of several/lots.Welcome to forum.deluge-torrent.org forums
Please keep this e-mail for your records. Your account information is as
follows:
----------------------------
Username: me_is_me
Password: 6_is3x2/0
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Re: Plain text password sent on signup!
Me too.saulgoode wrote:I agree.neddie wrote:Other systems I've seen make it very clear that the password being given will be emailed in plain text and therefore one shouldn't use a valuable password used elsewhere - this forum should do the same if it doesn't do already.
I'm not. I seem to see quite a bit of...attitude... in this forum. And it's wearing rather thin.nadir wrote:I'm a little surprised with the amount of attitude that has come back.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Re: Plain text password sent on signup!
hi,
i didn't write that, i quoted it.
i didn't write that, i quoted it.
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
Re: Plain text password sent on signup!
Personally , I think you are mistaking our meager attempts at humor ( especially in off topic ) as an attitude. The further away from discussing things relevant to debian you get , the more of that you will probably see. Just assume it's all humor ... don't take anything personally ... and you'll do fine here.Ahtiga Saraz wrote:... I seem to see quite a bit of...attitude... in this forum. And it's wearing rather thin.
The reality is , that every one posting here , except one's self , is just a Nickname. We don't know who anybody is , we all might be AI bots for all we really know. To take ANYTHING that is posted here as a personal attack or an insult and then feel bad about it is ridiculous. Why would you even care ? To every one else here ... you are just a Nickname. Or maybe an FBI bot ! Or an Alien ! Illegal or otherwise !
You could always go back to watching "Fringe" on the telly
Re: Plain text password sent on signup!
/me should have put the tin foil hat on before signing up on the forums
Just to bump this topic up, I will say that this is indeed an issue that has to be fixed, or at least this is how I see it, and that it can be fixed in no time.
Debian is, regardless of the things that happened with some packages in the past, one of the most secure operating systems; if not "by default", at least much more securable than the others. The forums should be secure too, wheter they are official or not.
Just to bump this topic up, I will say that this is indeed an issue that has to be fixed, or at least this is how I see it, and that it can be fixed in no time.
Debian is, regardless of the things that happened with some packages in the past, one of the most secure operating systems; if not "by default", at least much more securable than the others. The forums should be secure too, wheter they are official or not.
Re: Plain text password sent on signup!
I've edited the password out of all of the files, as neccesary