canonknipser wrote: ↑
Wed Aug 22, 2018 8:15 pm
Just use a good ftp and database password and change them frequently - and don't be too paranoid.
The issue is when someone hacks into the server by whatever means. They can then dump the user table. Minimally they might run a dictionary attack against the passwords and that will net them about 10% of the users on average. Now they have associated username, email address and password which they can then try on the email account site.
I use a throwaway password on many sites if I know I'll only be using it for brief time and it's inconsequential where no personal data is given. I just got an email the other day with this throwaway password listed in the email informing me they had video of me watching porn and would delete the video for $1000 .
John connor wrote: ↑
Fri Aug 24, 2018 7:22 am
is there another method perhaps?
As Paul mentioned phpBB would have to be able to decrypt and for that to occur the key would have to be on the server making it pointless. You would have to disable all email features for that user and that would include password recovery. If you were using their password as the key the only thing it would become useful for at that point is if the user was logged in and you wanted to send a confirmation email for password change initiated through the ACP.
I did post an idea for encrypting PM's and designated user profile data but that is possible becsue the user(s) would be logged in and there is really only two or three parties that would need to be able to see it . Even that becomes fairly complicated.