Jul-07-2021, 11:28 AM
I had to reset my password today and after going through the process, I got an email with a new password in. Why is that? Are passwords really stored in plain text instead of securely?
Jul-07-2021, 11:28 AM
Jul-07-2021, 11:47 AM
Brought to attention of admins
Jul-07-2021, 12:32 PM
I think it's temporary password and user is expected to change it immediately. It's a new password and of course it will be in plain text. The alternative is to send reset link that will open password reset form, but old password, presumably lost will not be required.
Jul-07-2021, 02:20 PM
(Jul-07-2021, 11:28 AM)ndc85430 Wrote: [ -> ]Are passwords really stored in plain text instead of securely?You get plain text password,but it's hashed before stored in database.
$hash = md5(md5($salt).md5($password));So it's md5 + salt,could have been better salt help some.
Think it's planned in future version of MyBB to change out with something like bcrypt or scrypt.
Jul-10-2021, 07:17 AM
MD5! That's disappointing. Even if a more secure hashing algorithm was used, the passwords still shouldn't be emailed - email really isn't a secure medium!