Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 761073

Summary: Gentoo Forums password reset sends unencrypted password via email (and does not force changing it)
Product: Gentoo Infrastructure Reporter: Michał Górny <mgorny>
Component: ForumsAssignee: Forum Moderators <forum-mods>
Status: CONFIRMED ---    
Severity: normal CC: contact, gentoo, security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 880071    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-21 12:33:36 UTC 
If you use the password reset feature on Gentoo Forums, you get the new password and activation link via email.  While I can live with the temporary password being sent via email, the Forum should request changing it immediately after logging in.

Alternatively, it could stop sending the new password via email and instead either force setting a new password via activation link.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-21 13:56:28 UTC 
This is known and one thing the new forum software will fix.
Comment 2 Cara Salter 2023-11-15 20:40:04 UTC 
Is there an update on this? I just signed up and got my password in plaintext.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-16 04:08:08 UTC 
See the dependency, I suppose.