Summary: | Forum Confirmation Email Includes Plaintext Password | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | Jeffrey Walton <noloader> |
Component: | Forums | Assignee: | Forum Moderators <forum-mods> |
Status: | CONFIRMED --- | ||
Severity: | major | CC: | contact, desultory, fturco, gentoo, john_r_graham, prometheanfire, WiiController, xaviermiller, zamabe |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 880071 | ||
Bug Blocks: | |||
Attachments: |
Forums: Email with plain text password
Changes email templates in all languages (htdocs+translations) |
Created attachment 414168 [details, diff]
Changes email templates in all languages (htdocs+translations)
Remove {PASSWORD} token from email templates.
This prevents user passwords being emailed in plain text.
Following the phpBB v3 email templates, the only template which
does send a password is the user_activate_passwd template because
it is the only one which sends a password the user did not provide.
I suspect the diff paths may not be what you want to apply this.
Let me know if/what to change them to if this is the case :)
This is still an issue in January 2022. I registered today and got an email with plain text password I provided during registration. Its a feature of phpBB2 and will be fixed with the phpBB3 upgrade. The workaround until then is to change your password. The board will not email you your new password. |
Created attachment 321138 [details] Forums: Email with plain text password After registering for a Gentoo forum account, the system emailed me my password in plain text. (1) There was no need to email me the password since I choose it. (2) Its not appropriate to transmit secrets this way - and there was no need due to (1). If Gentoo forums wants to email plain text passwords and other secrets, perhaps it should generate a random, throw-away password to share with the world.