Bug 761073

Summary:	Gentoo Forums password reset sends unencrypted password via email (and does not force changing it)
Product:	Gentoo Infrastructure	Reporter:	Michał Górny <mgorny>
Component:	Forums	Assignee:	Gentoo Infrastructure <infra-bugs>
Status:	CONFIRMED ---
Severity:	normal	CC:	chiitoo, contact, forum-mods, gentoo, qmhp3k8q, security
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	880071
Bug Blocks:

Description Michał Górny archtester

2020-12-21 12:33:36 UTC

If you use the password reset feature on Gentoo Forums, you get the new password and activation link via email.  While I can live with the temporary password being sent via email, the Forum should request changing it immediately after logging in.

Alternatively, it could stop sending the new password via email and instead either force setting a new password via activation link.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-21 13:56:28 UTC

This is known and one thing the new forum software will fix.

Comment 2 Cara Salter 2023-11-15 20:40:04 UTC

Is there an update on this? I just signed up and got my password in plaintext.

Comment 3 John Helmert III archtester

2023-11-16 04:08:08 UTC

See the dependency, I suppose.

Comment 4 Chiitoo gentoo-dev

2024-12-19 22:39:11 UTC

Re-assigning since forum-mods@ can not do anything about this at present time.

Comment 5 Sam James archtester

2025-05-14 18:20:47 UTC

*** Bug 955960 has been marked as a duplicate of this bug. ***