PDA

View Full Version : Wait, did you just email me my password?



stib
07-19-2016, 12:18 AM
Oh FFS Newtek. Just because the forum software you like to use looks like it comes from the 1990s, your attitude to security shouldn't too.

I just had to reset my password and was shocked to discover that it was being mailed to me in PLAIN TEXT. What that means is that NewTek is keeping a PLAIN TEXT COPY OF YOUR PASSWORD. NONONONONONONONONONO! That is not how you do it. You guys should not be able to access a plain text copy of my password to send to me because It shouldn't be on your server anywhere! That is a MASSIVE security hole!

http://plaintextoffenders.com/about/

As it stands be very careful using NewTeks forums because your password is vulnerable. Make sure your Newtek forum password is different to any other password you use.

zapper1998
07-19-2016, 02:42 AM
wow dang ditto

raymondtrace
07-19-2016, 07:50 AM
According to their own forum chatter, vbulletin stores passwords in a salted hash. Are you sure you saw your password in plaintext from this forum software (no other Newtek service?)

Here is the message I get when I try to reset a forum password. I see no plaintext password.

#####

Dear raymondtrace,

You have requested to reset your password on NewTek Discussions because you have
forgotten your password. If you did not request this, please ignore it. It will
expire and become useless in 24 hours time.

To reset your password, please visit the following page:
http://forums.newtek.com/login.php?a=pwd....[redacted, but not a plain text password]

When you visit that page, your password will be reset, and the new password will be
emailed to you.

Your username is: raymondtrace

To edit your profile, go to this page:
http://forums.newtek.com/profile.php?do=editprofile

All the best,
NewTek Discussions

50one
07-19-2016, 09:20 AM
stib, everyone knows your password is "abc.123" anyway....:)

MichaelT
07-19-2016, 11:52 AM
Hmm, well if that is correct. Then it is quite bad. But that is also why I have different passwords for every single account that I have .. everywhere.

SBowie
07-19-2016, 12:09 PM
We've tested this (today, in response to this thread), and the only time anyone is ever sent a password is if you do an 'I forgot my password' operation, in which case you are sent an email with a temporary password so you can reset it yourself. This is bog standard procedure for lots of venues, if not the great majority, and shouldn't alarm anyone as far as I can see.

The password is not visible apart from that, even to admins. (I can reset a password, but I can't view it either before or after.)

UnCommonGrafx
07-19-2016, 01:30 PM
My thoughts are:
You were phished. Thanks for the warning.
Steve states my experience, as well.

Interesting and joining to see the conversation heretofore.
Robert

Shawn Farrell
07-20-2016, 03:18 AM
The best password is always "password" or not...

stib
07-20-2016, 04:30 AM
Reassuring. However you need to make sure that the user changes their password. As it stands the user doesn't have to change it from the one you send.

But a better approach would be to send a one-off password reset link like modern web sites do. I mean, vBulletin? Really?


We've tested this (today, in response to this thread), and the only time anyone is ever sent a password is if you do an 'I forgot my password' operation, in which case you are sent an email with a temporary password so you can reset it yourself. This is bog standard procedure for lots of venues, if not the great majority, and shouldn't alarm anyone as far as I can see.

The password is not visible apart from that, even to admins. (I can reset a password, but I can't view it either before or after.)

SBowie
07-20-2016, 06:58 AM
But a better approach would be to send a one-off password reset link like modern web sites do. I mean, vBulletin? Really?I don't disagree that there are some advantages to that approach, and I'll ask whether vB has that option.

raymondtrace
07-20-2016, 07:38 AM
Reassuring. However you need to make sure that the user changes their password. As it stands the user doesn't have to change it from the one you send.

But a better approach would be to send a one-off password reset link like modern web sites do. I mean, vBulletin? Really?

I think a poly-dense mountain is being rendered from a mole hill. The authentication system here is strictly for slapping a username to the nonsense we post. There is no confidential information to protect.

vBulletin writes the auto-generated password in the email at the same time it writes the hashed version in the database. The database does not store the plain text version of the password.

The auto-generated password is created by vBulletin, not the user...so there is no danger that the user is using the same password on multiple services. There is actually greater security if the user does not change the auto-generated password because most users will stupidly change it to something they already use.

There is still the danger that someone can intercept the user's email message and password contained within. But this forum already lacks SSL/TLS ...so email sniffing is a trivial concern.