Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 761073 - Gentoo Forums password reset sends unencrypted password via email (and does not force changing it)
Summary: Gentoo Forums password reset sends unencrypted password via email (and does n...
Status: CONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Forums (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Forum Moderators
URL:
Whiteboard:
Keywords:
Depends on: 880071
Blocks:
  Show dependency tree
 
Reported: 2020-12-21 12:33 UTC by Michał Górny
Modified: 2023-11-16 17:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-21 12:33:36 UTC 
If you use the password reset feature on Gentoo Forums, you get the new password and activation link via email.  While I can live with the temporary password being sent via email, the Forum should request changing it immediately after logging in.

Alternatively, it could stop sending the new password via email and instead either force setting a new password via activation link.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-21 13:56:28 UTC 
This is known and one thing the new forum software will fix.
Comment 2 Cara Salter 2023-11-15 20:40:04 UTC 
Is there an update on this? I just signed up and got my password in plaintext.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-16 04:08:08 UTC 
See the dependency, I suppose.