Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 431106 - Forum Confirmation Email Includes Plaintext Password
Summary: Forum Confirmation Email Includes Plaintext Password
Status: CONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Forums (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Forum Moderators
URL:
Whiteboard:
Keywords:
Depends on: 880071
Blocks:
  Show dependency tree
 
Reported: 2012-08-12 17:14 UTC by Jeffrey Walton
Modified: 2023-11-16 17:40 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Forums: Email with plain text password (gentoo-forum-email-with-plaintext-password.png,198.75 KB, text/plain)
2012-08-12 17:14 UTC, Jeffrey Walton
Details
Changes email templates in all languages (htdocs+translations) (Remove {PASSWORD} token from email templates,90.88 KB, patch)
2015-10-09 02:05 UTC, zamabe
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeffrey Walton 2012-08-12 17:14:30 UTC
Created attachment 321138 [details]
Forums: Email with plain text password

After registering for a Gentoo forum account, the system emailed me my password in plain text.

(1) There was no need to email me the password since I choose it. (2) Its not appropriate to transmit secrets this way - and there was no need due to (1).

If Gentoo forums wants to email plain text passwords and other secrets, perhaps it should generate a random, throw-away password to share with the world.
Comment 1 zamabe 2015-10-09 02:05:40 UTC
Created attachment 414168 [details, diff]
Changes email templates in all languages (htdocs+translations)

Remove {PASSWORD} token from email templates.

This prevents user passwords being emailed in plain text.
Following the phpBB v3 email templates, the only template which
does send a password is the user_activate_passwd template because
it is the only one which sends a password the user did not provide.

I suspect the diff paths may not be what you want to apply this.
Let me know if/what to change them to if this is the case :)
Comment 2 Tomasz Łaguz 2022-01-09 22:20:14 UTC
This is still an issue in January 2022.
I registered today and got an email with plain text password I provided during registration.
Comment 3 Roy Bamford gentoo-dev 2022-01-10 09:55:59 UTC
Its a feature of phpBB2 and will be fixed with the phpBB3 upgrade.

The workaround until then is to change your password. The board will not email you your new password.