Jul-07-2021, 11:28 AM
I had to reset my password today and after going through the process, I got an email with a new password in. Why is that? Are passwords really stored in plain text instead of securely?
Emailed passwords
|
Jul-07-2021, 11:28 AM
I had to reset my password today and after going through the process, I got an email with a new password in. Why is that? Are passwords really stored in plain text instead of securely?
Jul-07-2021, 11:47 AM
Brought to attention of admins
I think it's temporary password and user is expected to change it immediately. It's a new password and of course it will be in plain text. The alternative is to send reset link that will open password reset form, but old password, presumably lost will not be required.
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link Create MCV example Debug small programs
Jul-07-2021, 02:20 PM
(Jul-07-2021, 11:28 AM)ndc85430 Wrote: Are passwords really stored in plain text instead of securely?You get plain text password,but it's hashed before stored in database. $hash = md5(md5($salt).md5($password));So it's md5 + salt,could have been better salt help some. Think it's planned in future version of MyBB to change out with something like bcrypt or scrypt.
Jul-10-2021, 07:17 AM
MD5! That's disappointing. Even if a more secure hashing algorithm was used, the passwords still shouldn't be emailed - email really isn't a secure medium!
|
|