+- Python Forum (https://python-forum.io)
+-- Forum: Forum & Off Topic (https://python-forum.io/forum-23.html)
+--- Forum: Board (https://python-forum.io/forum-26.html)
+--- Thread: Emailed passwords (/thread-34210.html)
Emailed passwords - ndc85430 - Jul-07-2021
I had to reset my password today and after going through the process, I got an email with a new password in. Why is that? Are passwords really stored in plain text instead of securely?
RE: Emailed passwords - Larz60+ - Jul-07-2021
Brought to attention of admins
RE: Emailed passwords - buran - Jul-07-2021
I think it's temporary password and user is expected to change it immediately. It's a new password and of course it will be in plain text. The alternative is to send reset link that will open password reset form, but old password, presumably lost will not be required.
RE: Emailed passwords - snippsat - Jul-07-2021
(Jul-07-2021, 11:28 AM)ndc85430 Wrote: Are passwords really stored in plain text instead of securely?You get plain text password,but it's hashed before stored in database.
$hash = md5(md5($salt).md5($password));So it's md5 + salt,could have been better salt help some.
Think it's planned in future version of MyBB to change out with something like bcrypt or scrypt.
RE: Emailed passwords - ndc85430 - Jul-10-2021
MD5! That's disappointing. Even if a more secure hashing algorithm was used, the passwords still shouldn't be emailed - email really isn't a secure medium!