Registration passwords in the clear.

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
ChiefVas
Registered User
Posts: 50
Joined: Tue Jul 31, 2007 5:44 pm

Registration passwords in the clear.

Post by ChiefVas »

One of my IT Geeks :ugeek: just informed me of a possible security issue in that when you register you get an email with your username and password in the clear. IF somebody did not follow good cyber security practices and reused a password for other systems as their forum password that would be a potential security issue. Can I and if so where would I, modify it such as to not include the password in the activation reply email?
Intranet only board. Running php5.2.0, Oracle 10.2
User avatar
david63
Registered User
Posts: 20469
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Registration passwords in the clear.

Post by david63 »

You could always edit language/en/email/user_welcome.txt

I am not sure how great a risk this is as most sites send you that information and unless somebody could intercept the message, and knew what other sites you used it on they would just be using a random password with a username.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
ChiefVas
Registered User
Posts: 50
Joined: Tue Jul 31, 2007 5:44 pm

Re: Registration passwords in the clear.

Post by ChiefVas »

Well this is an internal business forum. IF somebody intercepted the email with the user name and password(I believe our email is routed off-site for external spam filtering) and IF their password was their on-site password, many have also used their on-site username as their forum username, that would give somebody on the outside both their on-site username and password. The email address would then point them to our site...

I tried to encourage people to be creative in their username selection, don't use the dull fraction of your last name one that IT gave you when you were hired. Some people just don't want to have to think when using a computer. I'll just use the same username and password I've always used. It's no wonder we hacking and viruses.

"language/en/email/user_welcome.txt" that's what I was looking for, didn't know to look under language, many thanks! :D

Cheers!
Intranet only board. Running php5.2.0, Oracle 10.2
Locked

Return to “[3.0.x] Support Forum”