Password in Plain Text?

I just registered today and received a confirmation email with my password in plain text. This either tells me that you’re storing our passwords in plain text in your database, or there’s a way to reverse the encryption. Either way, this is huge security no-no and I’m surprised to see this coming from Comodo’s excellent standards. Hopefully the forum team can shed some light on this. Thank you.

The forums only had that decrypted password because it had just been generated and hadn’t yet been encrypted. The passwords are stored encrypted and as far as I know the forums is unable to decrypt them itself (there is no decryption routine). The forums can only reset the password on a lost/forgotten password request.

The forums is SMF 1.1.16 (as noted at the bottom of each page) and more details concerning issues like this can be found at http://www.simplemachines.org. I hope that helps.

Awesome, thank you for the speedy reply! :slight_smile: Much appreciated.

No problem. :slight_smile:

Similar issue, registered to Comodo Forum - Emailed in plain text complete information re: password and login information and backup access info?!

Why send all this in a plain text email?

What if my email is compromised? - online or on my computer?

Concerned,

David

Please see my post above, the password is a randomly generated one. The forums cannot send you the original password since it’s unable to decrypt it.

Because there is currently no other way to do it… if it was sent to you encrypted, how would you decrypt it?

The only option is to change the way of registration - without sending this info by email. You just write your password on the site and no emails with password. Some site do it in this way, though many other sites do as Comodo forums. Maybe it’ll be more secure without email. Is it difficult to implement?

You’ll need to explain this in more detail. For instance, how would password recovery (where the user has forgotten the password) work?

I think it’s not possible to avoid emailing for password recovery - randomly generated password or just an enormously long random link anyway through email. Unless you use some secret phrase - you write the phrase (it was written by you at the registration) and write new password on the page of the site.

As for the first registration - it’s just as I wrote in my previous post. You just write your password on the site during registration and no emails with password.

As for me I feel quite secure with the current options. So let those who doesn’t like the procedure offer their choices.