This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.
Just wow, yeah. Nothing should ever send you a password in cleartext - once that’s been done, a MITM attack’s success rate just went to 100%.
It’s painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.
hunter2
I’d be more worried if someone who uses the internet to such a degree that they use Lemmy over Reddit, on a programming forum, didn’t get the reference. This is famous hacker lore at this point.
It’s painless to use password resets
Ya and have they send you the (one-time) password in cleartext
Well, the tokenized link is essentially a clear text one time password. Not really any better than just a one time password except for the convenience that the user does not need to type it in. If someone gets hold of the link or password before you they can get access to your account.
(one-time)
You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.
MITM attack’s success rate just went to 100%
No, it didn’t. It’s stupid and shouldn’t be done, but all ham nowadays is encrypted.
I know that because I’ve been running my email server for some years now, technically breaking one of the RFCs for not allowing unencrypted connections. Zero email has been missed.
While I agree that likely most SMTP traffic is sent encrypted these days, you simply cannot be sure. Just because you received something over an encrypted connection doesn’t mean that relays in between also used this. The webserver could have handed over the email unencrypted to an SMTP server for all you know. And even if an encrypted connection was used the mail might still have been copied to a log on the SMTP server. Email is unfortunately inherently unsafe.
Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.
Definitely. You don’t send passwords, ever, even if it’s encrypted by a quantic email server from the future.
The only issue I can see is why are you sending the password to the person in the email at all just seems redundant… I think I may have run into a tree though.
This was hashed out pretty thoroughly in that thread.
The initial concern over the password being stored in plaintext was shown to be a mistaken assumption, and it was made clear that this kind of email doesn’t happen anymore, it’s an outdated problem.
No need to keep the discussion going past that, is there? Much less spread it around?
Sending passwords via email Will compromise any passwords sent via email. Regardless if the password is stored anywhere in the process if the password is sent via email it is compromised and no longer safe to use. Email is not end and encrypted you have no idea who’s running the mail exchange servers that your email follows, it’s entirely possible for this company to store that password in a log dealing with their email servers. Password sent via email should be considered immediately compromised and any sites following a practice like this should not be trusted with standard passwords which you shouldn’t be using anyway.
Right, and everyone agreed that wasn’t the greatest practice. Two years ago.
This thread from two days ago was bringing attention to an issue that was fixed two years ago, and calling it out as if it was a different problem than it was.
It’s good to have discussions about security best practices, but this thread is pointless. This problem is simply not there anymore.
Email isn’t end to end encrypted but, but it generally is encrypted. The people who will have it are the sender (who already have the password since they created it) and whoever runs the recipient’s mail server. Which is hopefully someone the recipient trusts.
From the sounds of it, this was a password that the server randomly generated, so it’s never been used before, and you are forced to reset the password as soon as you use it, so it’ll never be used again and they do treat it as “immediately compromised”.
Hardly state of the art security, but it also doesn’t really have any major problems… especially since this is for a forum.
