Forum Password Encryption

Discussion on website and translations

Forum Password Encryption

Postby xnamkcor » Thu Sep 12, 2013 12:15 am

Your email claims, "Please do not forget your password as it has been encrypted in our database
and we cannot retrieve it for you.", but just a few lines up your have emailed me my username and password in plaintext. Do you encrypt it after you send it as plaintext across the tubes?
Posts: 2
Joined: Wed Sep 11, 2013 11:25 pm

Re: Forum Password Encryption

Postby Wladimir Palant » Thu Sep 12, 2013 11:15 am

This forum is using the standard phpBB software. Indeed, it does encrypt the passwords after sending the confirmation mail. And I agree with you that having the password in plain text in the confirmation mail is very suboptimal - but that phpBB feature isn't configurable. We are looking into migrating to Discourse, its approach to passwords is much more sane. In fact, with Discourse local passwords aren't necessary at all - one can log in with an external service like Facebook, Twitter or Google. So my favorite solution would be disabling local accounts completely - if we don't store any passwords then we don't have to worry about keeping them safe.
Wladimir Palant
ABP Developer
Posts: 8397
Joined: Fri Jun 09, 2006 6:59 pm
Location: Cologne, Germany

Return to Website and translations

Who is online

Users browsing this forum: No registered users and 2 guests