Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Taz
Worker
Worker


Joined: Dec 22, 2005
Posts: 158

PostPosted: Thu Feb 16, 2006 1:16 pm Reply with quote

Hey peps!

Has anyone else questioned why the activation email sends the password to the user in plain text? Isn't this like a huge security risk, and is there anyway to disable this?

Thanks
Taz
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Thu Feb 16, 2006 1:50 pm Reply with quote

While I can understand the implications, especially if someone is using a sniffer, what would you suggest? And I don't mean that as an insult or a sarcastic remark. How else do you let the user have confirmation of his/her password? I have thought of alternating schemes, but short of using all SSL connections (and even that isn't foolproof) what are you to do? The point is, is that you are supposed to immediately change your password. So, your initial password should only be a temporary one anyway. You could put some code in nuke that would force you to change it upon initial activation, but you still need to tell the user what the initial password is.
 
View user's profile Send private message
Taz
PostPosted: Thu Feb 16, 2006 2:00 pm Reply with quote

lol - No offense taken. I was kind of working on the pretense that if they didn't know their password, I didn't want them on the site anyway. lol BUT, I know that's not practical, everyone forgets their password, and in some cases people don't get activated right away so I guess it's easier to belive that one would forget.

So is see your point, in that respect, it would probably create more problems than it would solve by not sending the password with the activation.

I like your suggestion that this password should only be used to log in, and then the user should change it on the first login to something more secure. That could just be written the activation email. Something like, "Please realize that your password was sent to you in plain text and we would strongly suggest that you change your password when you first log into the site" But then you would need some way of verifying that this step was followed. If they are not an admin user, I don't guess they could harm much.

Is the language for the activation email contained in the lang-english file or somewhere else? I might add something like this to my site.

My brother works for the NSA, and registered on my gaming site, and was giving me grief about this. He was very 'Glad I didn't use one of my normal passwords'

That's what sparked the interest.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©