Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
jen729w
PostPosted: Thu May 10, 2012 5:29 pm 
Offline
Newbie

Joined: Thu May 10, 2012 5:16 pm
Posts: 2
Surely not.

Quote:
Welcome to Linode Forum Forums

Please keep this email for your records. Your account information is as follows:

----------------------------
Username: jen729w
Password: foo-bar-mung
----------------------------

<snip>


It is twenty-twelve and the guys who provide my online Linux host are sending me my password in plain text? C'mon man. Really?

j.
Top
   
Reply with quote  
caker
 Post subject:
PostPosted: Thu May 10, 2012 5:34 pm 
Offline
Linode Staff
User avatar

Joined: Tue Apr 15, 2003 6:24 pm
Posts: 3090
Website: http://www.linode.com/
Location: Galloway, NJ
Thanks - I've just removed that from the phpBB forum software's default email templates.

-Chris
Top
   
Reply with quote  
Obsidian
 Post subject:
PostPosted: Thu May 10, 2012 5:37 pm 
Offline
Senior Member
User avatar

Joined: Wed Apr 20, 2011 1:09 pm
Posts: 63
it's sent before the password's actually hashed.

that being said, are the forums still storing passwords using phpBB2's default hash (because linode cba to run the latest version, and this version has known CSRF openings...)?

which by the way, the hashing method is a simple md5()...


Last edited by Obsidian on Thu May 10, 2012 5:54 pm, edited 1 time in total.

Top
   
Reply with quote  
vonskippy
 Post subject:
PostPosted: Thu May 10, 2012 5:52 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
It's just a forum password.

Don't wet yourself over it.
Top
   
Reply with quote  
Dweeber
 Post subject:
PostPosted: Thu May 10, 2012 5:55 pm 
Offline
Senior Member
User avatar

Joined: Thu Nov 24, 2011 12:46 pm
Posts: 139
Location: Mesa AZ
The same message is sent if the account is created for you so it would be telling what the password was that you didn't create. It should include a message saying you should change your password after you successfully login the first time. This time using a better more secure password. You don't get an email when you change your password.

Not sure what phpBB uses now days to store the password. been years since I ran one. I do have a number of SMF forums and it uses salted SHA1 and the original is not saved. One way street. and it is not the same access as your Linode host.

_________________
Kevin a.k.a. Dweeber
Top
   
Reply with quote  
jen729w
 Post subject:
PostPosted: Fri May 11, 2012 7:26 am 
Offline
Newbie

Joined: Thu May 10, 2012 5:16 pm
Posts: 2
vonskippy wrote:
It's just a forum password.

Don't wet yourself over it.


:-) Pants are dry.

I use 1Password, so I don't really care. A lot of people don't, however, and it seems like such an obviously silly thing to do.

Anyway, thanks Chris for removing that from the template.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group