this post was submitted on 30 Sep 2023
154 points (73.6% liked)

Programming

17000 readers
253 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago
MODERATORS
snowe
Ategon
[email protected]
154
OP finds vulnerability where a forum sends you your password in plaintext over email and everyone misses the forest for the trees (lemmy.world)
submitted 11 months ago by JackbyDev to c/programming
86 comments fedilink hide all child comments
 

This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 57 points 11 months ago (2 children)

This was hashed out pretty thoroughly in that thread.

The initial concern over the password being stored in plaintext was shown to be a mistaken assumption, and it was made clear that this kind of email doesn't happen anymore, it's an outdated problem.

No need to keep the discussion going past that, is there? Much less spread it around?

[–] [email protected] 15 points 11 months ago (3 children)

Sending passwords via email Will compromise any passwords sent via email. Regardless if the password is stored anywhere in the process if the password is sent via email it is compromised and no longer safe to use. Email is not end and encrypted you have no idea who's running the mail exchange servers that your email follows, it's entirely possible for this company to store that password in a log dealing with their email servers. Password sent via email should be considered immediately compromised and any sites following a practice like this should not be trusted with standard passwords which you shouldn't be using anyway.

[–] [email protected] 23 points 11 months ago

Right, and everyone agreed that wasn't the greatest practice. Two years ago.

This thread from two days ago was bringing attention to an issue that was fixed two years ago, and calling it out as if it was a different problem than it was.

It's good to have discussions about security best practices, but this thread is pointless. This problem is simply not there anymore.

[–] [email protected] 3 points 11 months ago* (last edited 11 months ago) (1 children)

Email isn't end to end encrypted but, but it generally is encrypted. The people who will have it are the sender (who already have the password since they created it) and whoever runs the recipient's mail server. Which is hopefully someone the recipient trusts.

From the sounds of it, this was a password that the server randomly generated, so it's never been used before, and you are forced to reset the password as soon as you use it, so it'll never be used again and they do treat it as "immediately compromised".

Hardly state of the art security, but it also doesn't really have any major problems... especially since this is for a forum.

[–] [email protected] 2 points 11 months ago

Email often is end to end encrypted these days. It's just that there are no guarantees.

[–] flumph 1 points 11 months ago

Sending passwords via email Will compromise any passwords sent via email.

100%. But that is a different problem and a different attack vector than storing passwords in plain text for authentication. When reporting security issues, it's important to be precise.

[–] [email protected] 4 points 11 months ago

hashed out

heheh