Python Forum
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Emailed passwords
#1
I had to reset my password today and after going through the process, I got an email with a new password in. Why is that? Are passwords really stored in plain text instead of securely?
Reply
#2
Brought to attention of admins
Reply
#3
I think it's temporary password and user is expected to change it immediately. It's a new password and of course it will be in plain text. The alternative is to send reset link that will open password reset form, but old password, presumably lost will not be required.
Larz60+ likes this post
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs

Reply
#4
(Jul-07-2021, 11:28 AM)ndc85430 Wrote: Are passwords really stored in plain text instead of securely?
You get plain text password,but it's hashed before stored in database.
$hash = md5(md5($salt).md5($password));
So it's md5 + salt,could have been better salt help some.
Think it's planned in future version of MyBB to change out with something like bcrypt or scrypt.
Larz60+ likes this post
Reply
#5
MD5! That's disappointing. Even if a more secure hashing algorithm was used, the passwords still shouldn't be emailed - email really isn't a secure medium!
Reply


Forum Jump:

User Panel Messages

Announcements
Announcement #1 8/1/2020
Announcement #2 8/2/2020
Announcement #3 8/6/2020