Plain Text Passwords
Moderator: Moderators
-
- Apprentice
- Posts: 50
- Joined: Sun May 30, 2010 6:15 am
- Location: Eugene, Oregon
- Contact:
Plain Text Passwords
Is there any chance the admins can stop storing passwords in plain text, or at least warn users that passwords are accessible in plain text?
Oooh - I'm the IT Department now, rather than "that jerk that takes three months to solve the e-mail problem?" Sweet!
I have to admit I'm not sure what you're talking about, krain. If I go to the admin console I can't see your password (or anybody else's for that matter). It's possible that if I were to log into the database directly, I'd see what you're talking about. But I don't have MySQL setup on this PC so I can't login now to check.
Can you elaborate as to why you think the password is stored in plain text? That might help me find a solution.
I have to admit I'm not sure what you're talking about, krain. If I go to the admin console I can't see your password (or anybody else's for that matter). It's possible that if I were to log into the database directly, I'd see what you're talking about. But I don't have MySQL setup on this PC so I can't login now to check.
Can you elaborate as to why you think the password is stored in plain text? That might help me find a solution.
You can't fix stupid.
"A life is not important except in the impact it has on other lives." ~ Jackie Robinson
"A life is not important except in the impact it has on other lives." ~ Jackie Robinson
-
- Apprentice
- Posts: 50
- Joined: Sun May 30, 2010 6:15 am
- Location: Eugene, Oregon
- Contact:
Sure. When I created the account I was given a confirmation email. This confirmation email had both my user name and my password (plaintext).
This is a really big sign that the passwords are stored in plain text, and it looks like it's a persistent issue even in 3.04: http://www.phpbb.com/community/viewtopi ... &t=1548605
Ideally passwords should be stored as a MD5+SHA-1, perhaps Salt. Here's a great article on how it should be done (and why): http://www.devbistro.com/articles/Java/ ... Encryption
And here, with more verbose points: http://www.codinghorror.com/blog/2007/0 ... ectly.html (scroll down to see the bullet points.
While The Gaming Den is likely to never be targeted, sending over email is still a big problem, especially if they use the same or similar password for other services.
This is a really big sign that the passwords are stored in plain text, and it looks like it's a persistent issue even in 3.04: http://www.phpbb.com/community/viewtopi ... &t=1548605
Ideally passwords should be stored as a MD5+SHA-1, perhaps Salt. Here's a great article on how it should be done (and why): http://www.devbistro.com/articles/Java/ ... Encryption
And here, with more verbose points: http://www.codinghorror.com/blog/2007/0 ... ectly.html (scroll down to see the bullet points.
While The Gaming Den is likely to never be targeted, sending over email is still a big problem, especially if they use the same or similar password for other services.