Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431106

Summary: Forum Confirmation Email Includes Plaintext Password
Product: Gentoo Infrastructure Reporter: Jeffrey Walton <noloader>
Component: ForumsAssignee: Forum Moderators <forum-mods>
Status: CONFIRMED ---    
Severity: major CC: contact, desultory, fturco, gentoo, john_r_graham, prometheanfire, WiiController, xaviermiller, zamabe
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 880071    
Bug Blocks:    
Attachments: Forums: Email with plain text password
Changes email templates in all languages (htdocs+translations)

Description Jeffrey Walton 2012-08-12 17:14:30 UTC
Created attachment 321138 [details]
Forums: Email with plain text password

After registering for a Gentoo forum account, the system emailed me my password in plain text.

(1) There was no need to email me the password since I choose it. (2) Its not appropriate to transmit secrets this way - and there was no need due to (1).

If Gentoo forums wants to email plain text passwords and other secrets, perhaps it should generate a random, throw-away password to share with the world.
Comment 1 zamabe 2015-10-09 02:05:40 UTC
Created attachment 414168 [details, diff]
Changes email templates in all languages (htdocs+translations)

Remove {PASSWORD} token from email templates.

This prevents user passwords being emailed in plain text.
Following the phpBB v3 email templates, the only template which
does send a password is the user_activate_passwd template because
it is the only one which sends a password the user did not provide.

I suspect the diff paths may not be what you want to apply this.
Let me know if/what to change them to if this is the case :)
Comment 2 Tomasz Łaguz 2022-01-09 22:20:14 UTC
This is still an issue in January 2022.
I registered today and got an email with plain text password I provided during registration.
Comment 3 Roy Bamford gentoo-dev 2022-01-10 09:55:59 UTC
Its a feature of phpBB2 and will be fixed with the phpBB3 upgrade.

The workaround until then is to change your password. The board will not email you your new password.