×

INDI Library v2.0.6 is Released (02 Feb 2024)

Bi-monthly release with minor bug fixes and improvements

Forum does not hash passwords - major vulnerability

  • Posts: 5
  • Thank you received: 0
I just signed up - and my password was sent to my email ... plain text. I can't believe it. Hashing passwords is so easy to do...

Please fix this! The internet doesn't need more stolen information.
5 years 2 months ago #33172
The topic has been locked.
Passwords are already hashed. But there is an option as well to send passwords to the registered email address which I've disabled now. It's all done over SSL so no need to panic, but it's disabled now anyway.
5 years 2 months ago #33175
The topic has been locked.
  • Posts: 1067
  • Thank you received: 140
What exactly are they going to steal anyway.... :)
5 years 2 months ago #33181
The topic has been locked.
  • Posts: 5
  • Thank you received: 0
Thanks Jasem, good to know
5 years 2 months ago #33201
The topic has been locked.
  • Posts: 456
  • Thank you received: 76
How does it know the password to send in the email tough? Its good to disable that feature, but it points to something bad in the way the password is stored in the datastore. Usually they are stored in the db with a one way hash where the real password can not be recovered (without brute force). If its able to send the real password via email then there is a vulnerability there.
5 years 2 months ago #33209
The topic has been locked.
That's the way Joomla does it. It's sent before getting hashed and stored in DB as a "reminder". I agree it is bad practice and disabled it now.
5 years 2 months ago #33219
The topic has been locked.
Time to create page: 0.532 seconds