Hi,
I just used the forum tool for resetting/retrieving the password and to my great surprise and horror, it sent both user name and password (including password hint) in clear text by e-mail.
This is just plain stupid. Please pay more attention to security than this…
The proper way to do it is to e-mail a link to an encrypted recovery function in which the user can enter a new password.
Arrrrgh!
On 2014-11-15 19:26, Kimmeridgien wrote:
>
> Hi,
>
> I just used the forum tool for resetting/retrieving the password and to
> my great surprise and horror, it sent both user name and password
> (including password hint) in clear text by e-mail.
>
> This is just plain stupid. Please pay more attention to security than
> this…
>
> The proper way to do it is to e-mail a link to an encrypted recovery
> function in which the user can enter a new password.
>
> Arrrrgh!
You are right… Email is not safe.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Sat, 15 Nov 2014 18:26:02 +0000, Kimmeridgien wrote:
> Hi,
>
> I just used the forum tool for resetting/retrieving the password and to
> my great surprise and horror, it sent both user name and password
> (including password hint) in clear text by e-mail.
>
> This is just plain stupid. Please pay more attention to security than
> this…
>
> The proper way to do it is to e-mail a link to an encrypted recovery
> function in which the user can enter a new password.
>
> Arrrrgh!
The forums authentication is integrated with SUSE login, so you shouldn’t
use the native forums’ tools for setting/resetting/retrieving the
password.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On 2014-11-15 22:30, Jim Henderson wrote:
> The forums authentication is integrated with SUSE login, so you shouldn’t
> use the native forums’ tools for setting/resetting/retrieving the
> password.
Nevertheless, if he is sent the password in the clear, that’s a problem.
It bypasses all the care taken with the SUSE login structure. Although
sending passwords via email is quite common.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Sat, 15 Nov 2014 22:48:07 +0000, Carlos E. R. wrote:
> On 2014-11-15 22:30, Jim Henderson wrote:
>
>> The forums authentication is integrated with SUSE login, so you
>> shouldn’t use the native forums’ tools for setting/resetting/retrieving
>> the password.
>
> Nevertheless, if he is sent the password in the clear, that’s a problem.
> It bypasses all the care taken with the SUSE login structure. Although
> sending passwords via email is quite common.
The passwords that are actually used are not stored in a format that’s
reversible, IIRC, so it’s not a problem in any event. The string sent
from the forum system is a random string that’s in the database because
the database requires a value - it’s of no value and not used for
anything.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On 2014-11-16 02:17, Jim Henderson wrote:
> On Sat, 15 Nov 2014 22:48:07 +0000, Carlos E. R. wrote:
>> Nevertheless, if he is sent the password in the clear, that’s a problem.
>> It bypasses all the care taken with the SUSE login structure. Although
>> sending passwords via email is quite common.
>
> The passwords that are actually used are not stored in a format that’s
> reversible, IIRC, so it’s not a problem in any event. The string sent
> from the forum system is a random string that’s in the database because
> the database requires a value - it’s of no value and not used for
> anything.
Well, the OP did not say that the password he got sent did not work. :-?
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
That was yesterday. And the forums were misbehaving yesterday, so it’s hard to draw any conclusion.
On Sun, 16 Nov 2014 22:13:06 +0000, Carlos E. R. wrote:
> Well, the OP did not say that the password he got sent did not work. :-?
And I explained why that was.
So, we’re good here. There is a password sent that’s part of the
vBulletin functionality, but it’s not part of the functionality we use.
So there’s nothing else to discuss here.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Sun, 16 Nov 2014 22:26:01 +0000, nrickert wrote:
> robin_listas;2676679 Wrote:
>> Well, the OP did not say that the password he got sent did not work.
>> :-?
> That was yesterday. And the forums were misbehaving yesterday, so it’s
> hard to draw any conclusion.
Yesterday’s issue had nothing to do with authentication, it had to do
with routing equipment.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C