Password sent back by phpBB in welcome email

dropd@usa.com · Post by **dropd@usa.com** » Tue Sep 27, 2005 2:35 am

Is this really necessary?

It is such a security risk. It can easily compromise user's passwords either in email intercepts or just by someone reading over you shoulder.

Are passwords properly stored in the database? Via one-way encryption?

ScionCrow · Post by **ScionCrow** » Tue Sep 27, 2005 2:40 am

Passwords must be sent via email or the user can't login (if they forgotten the password and don't have the email anymore). It's not a security threat either. It's sent to the users email directly and no one else. And the chances of someone reading over your shoulder just to get your password is pretty slim... (and I mean confiscating it)

Also, passwords are MD5 hashed, and they can't be undone. It's that simple.

dropd@usa.com · Post by **dropd@usa.com** » Tue Sep 27, 2005 3:01 am

ScionCrow wrote: Passwords must be sent via email or the user can't login (if they forgotten the password and don't have the email anymore). It's not a security threat either. It's sent to the users email directly and no one else. And the chances of someone reading over your shoulder just to get your password is pretty slim... (and I mean confiscating it)

Also, passwords are MD5 hashed, and they can't be undone. It's that simple.

Usually sites send a random temporary password via email and require the user to switch at first login. Actually (I just learned), phpBB does exactly that with forgotten passwords. Besides email intercepts not being that difficult, the "someone looking over your shoulder scenario" is not far fetched at all. It is a very real possibility in labs and Internet cafés.

It becomes a problem if the users selects an initial password they already use for other confidential purposes like banking, e-commerce or even email.
But it looks to me that you already have the solution, just use the forgotten password procedure in the first go.

Thanks for the clarification on the password storage.

alex_wedge · Post by **alex_wedge** » Wed Aug 15, 2007 10:46 pm

This is a very, very old thread, I know, but it seems to me that this is still an issue. Anyone sitting in a shared space or using a shared mailbox is put at risk by mailing passwords with no warning, and even in my own home with my own personal address, it irritates me when sites do this to me.

I've seen this complaint about phpBB over and over, and the standard response always seems to be "don't be such a security nut, it doesn't matter, nobody cares, go edit your templates if it really bothers you." I don't think that's a reasonable answer, when a proper solution is so very easy to implement.

For a phpBB installation at work, I've now added an Administration Panel configuration option to suppress the password in registration and re-activation confirmation emails (but not, of course, forgotten password emails -- that would defeat the point). If people are interested, I'd be happy to post my code changes; they're fairly minor. The most troublesome part would be modifying all the style templates to include the extra field in the admin/board_config template.

alex_wedge · Post by **alex_wedge** » Tue Aug 21, 2007 5:43 pm

Here are my changes, by request. Each block of changes is framed with one unchanged line for search context, and my file versions (from the header) are listed. I believe this is based on a stock install of phpBB v2.0.22.

To set the initial value, you must also run this SQL statement on your phpBB database once, since the control panel only handles configuration values already defined in the config table:

Code: Select all

INSERT INTO {{CONFIG_TABLE}} (config_name,config_value) VALUES ('email_password',1)

Ours being a stock install, we only have the English language pack and the subSilver visual template installed, so these changes cover only those files; the core functionality will work with just the other changes, but to be able to see the option in the admin control panel when using a different language or template, similar changes must be made in the relevant language and template files.

admin/admin_board.php (v1.51.2.16)

Code: Select all

$allow_autologin_no = (!$new['allow_autologin']) ? 'checked="checked"' : '';
/*add*/ $email_password_yes = ( $new['email_password'] ) ? "checked=\"checked\"" : "";
/*add*/ $email_password_no = ( !$new['email_password'] ) ? "checked=\"checked\"" : "";
$board_email_form_yes = ( $new['board_email_form'] ) ? "checked=\"checked\"" : "";

Code: Select all

"L_AUTOLOGIN_TIME_EXPLAIN" => $lang['Autologin_time_explain'],
/*add*/ "L_EMAIL_PASSWORD" => $lang['Email_password'],
/*add*/ "L_EMAIL_PASSWORD_EXPLAIN" => $lang['Email_password_explain'],
"L_COOKIE_SETTINGS" => $lang['Cookie_settings'],

Code: Select all

'AUTOLOGIN_TIME' => (int) $new['max_autologin_time'],
/*add*/ 'EMAIL_PASSWORD_YES' => $email_password_yes,
/*add*/ 'EMAIL_PASSWORD_NO' => $email_password_no,
"BOARD_EMAIL_FORM_ENABLE" => $board_email_form_yes,

[/size]

includes/usercp_activate.php (v1.6.2.9)

Code: Select all

'USERNAME' => $row['username'],
/*rem*/ // 'PASSWORD' => $password_confirm,
/*add*/ 'PASSWORD' => (isset($board_config['email_password']) && !$board_config['email_password']) ? '(suppressed)' : $password_confirm,
'EMAIL_SIG' => (!empty($board_config['board_email_sig'])) ? str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']) : '')

[/size]

includes/usercp_register.php (v1.20.2.78) (same block of code in two places)

Code: Select all

'USERNAME' => preg_replace($unhtml_specialchars_match, $unhtml_specialchars_replace, substr(str_replace("\'", "'", $username), 0, 25)),
/*rem*/ // 'PASSWORD' => $password_confirm,
/*add*/ 'PASSWORD' => (isset($board_config['email_password']) && !$board_config['email_password']) ? '(suppressed)' : $password_confirm,
'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']),

Code: Select all

'USERNAME' => preg_replace($unhtml_specialchars_match, $unhtml_specialchars_replace, substr(str_replace("\'", "'", $username), 0, 25)),
/*rem*/ // 'PASSWORD' => $password_confirm,
/*add*/ 'PASSWORD' => (isset($board_config['email_password']) && !$board_config['email_password']) ? '(suppressed)' : $password_confirm,
'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']),

[/size]

language/lang_english/lang_admin.php (v1.35.2.17)

Code: Select all

$lang['Search_Flood_Interval_explain'] = 'Number of seconds a user must wait between search requests';
/*add*/ $lang['Email_password'] = 'Send Passwords by Email';
/*add*/ $lang['Email_password_explain'] = 'Controls whether passwords are printed in plain text in user registration and password change confirmation emails';
// Forum Management

[/size]

templates/subSilver/admin/board_config_body.tpl

Code: Select all

<td class="row2"><input type="radio" name="allow_autologin" value="1" {ALLOW_AUTOLOGIN_YES} />{L_YES}&nbsp; &nbsp;<input type="radio" name="allow_autologin" value="0" {ALLOW_AUTOLOGIN_NO} />{L_NO}</td>
</tr>
<!--add--> <tr>
<!--add--> <td class="row1">{L_EMAIL_PASSWORD} <br /><span class="gensmall">{L_EMAIL_PASSWORD_EXPLAIN}</span></td>
<!--add--> <td class="row2"><input type="radio" name="email_password" value="1" {EMAIL_PASSWORD_YES} />{L_YES}&nbsp; &nbsp;<input type="radio" name="email_password" value="0" {EMAIL_PASSWORD_NO} />{L_NO}</td>
<!--add--> </tr>
<tr>
<td class="row1">{L_AUTOLOGIN_TIME} <br /><span class="gensmall">{L_AUTOLOGIN_TIME_EXPLAIN}</span></td>

[/size]