The forum of the forums
Welcome to the Official Support Forum of Forumotion!

To take full advantage of everything offered by our forum, please log in if you are already a member, or join our community if you've not yet.



Create a free forum like this one.

Password stored unencrypted?

View previous topic View next topic Go down

Pro Admin Password stored unencrypted?

Post by Roob4rb on June 8th 2013, 8:15 pm

When registering an account, your email says "Please do not forget your password as it has been encrypted in our database : we cannot retrieve it for you.", yet it lists - in plaintext - the password I just submitted for my new account.

Why are you claiming that passwords are stored encrypted when they clearly aren't?

(The only proper way of storing passwords in a database like this is using a strong hashing algorithm such as SHA256, preferably applied multiple times, and using salt.)

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Ange Tuteur on June 8th 2013, 9:13 pm

I assume you're talking about the password in your email, yes? That is quite understandable as a few handful of sites do this. It allows the email holder to know what user fields they've designated for their account. (i.e. username and password) If you're confident enough that you'll never forget your password, then you can simply delete the email you've received. Due note that you will no longer receive emails regarding your new password if you do decide to change it periodically; this only applies to account/forum creation.

From what I've observed it will only grab the contents from the registration form that you've submitted, and send it to you via email. If you're concerned that passwords are not encrypted, I'm sure a staff member can clearly answer your question.

Ange Tuteur
Forumaster

Male Posts : 13028
Reputation : 2704
Language : EN10, FR5
Location : Pennsylvania

http://fmdesign.forumotion.com

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 8th 2013, 9:32 pm

SethC1995 wrote:I assume you're talking about the password in your email, yes? That is quite understandable as a few handful of sites do this. It allows the email holder to know what user fields they've designated for their account. (i.e. username and password)

Yes, I can understand why they are put in the mail, but a user should be responsible for his own credentials. If you can't remember them, write them down somewhere, or put them in a more secure place such as KeePass. There is absolutely no valid reason to include plaintext credentials in confirmation emails.

To make things worse, when you are resetting your password after submitting your username/email, a new password is generated and *again* mailed to me in plaintext. This is not a secure way of resetting a password. Create a token which allows a user to enter a new password, which is then immediately stored as a salted hash, and not sent back to the user over unsecure mail.

If you're confident enough that you'll never forget your password, then you can simply delete the email you've received. Due note that you will no longer receive emails regarding your new password if you do decide to change it periodically; this only applies to account/forum creation.
I don't want passwords in my mail account, it makes my mailbox a giant security risk. What would happen if somebody else would gain access to my mailbox and finds various other passwords there? And saying 'just delete them if you don't want them' is not the proper solution to this problem Smile

From what I've observed it will only grab the contents from the registration form that you've submitted, and send it to you via email. If you're concerned that passwords are not encrypted, I'm sure a staff member can clearly answer your question.

I will await an answer from staff/developers, since indeed only they can elaborate on how this is handled internally in the application/database.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Ultron's Vision on June 8th 2013, 9:57 pm

First of all, there is no ultimately secure site on the internet. Wherever there is an exit there is always an entrance.

I am sure that FM encrypts all their internally stored data like passwords, usernames and whatsoever via MD5, SHA1 or whatever encryption is used and the SQL query passed to the appropriate PHP script checks if the input is matching the value stored in the database, not other way round, the data is not decrypted upon retrieving it.

This is a very complex discussion, and as for the e-mails, I'm quite sure that those who choose an insecure password are notified by their provider that their password is weak; as for the data sent to your e-mails, PHP has a widely-spread range of possibilities to use a value more than once.

In the end it all revolves back to PHP and what could have been used and what not. FM is #1 free forum host for a reason, and I don't think that as such they have insufficient encrypting methods and have worked successfully around the usage of the <script> tag (though that would end up in a discussion about XSS which I already had here).

Waiting for a dev or TGF is definitely the easiest solution.

Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 8th 2013, 10:05 pm

@Ultron's Vision wrote:First of all, there is no ultimately secure site on the internet. Wherever there is an exit there is always an entrance.
Agreed, but that should never be a reason to accept security risks that are unnecessary Smile
I am sure that FM encrypts all their internally stored data like passwords, usernames and whatsoever via MD5, SHA1 or whatever encryption is used and the SQL query passed to the appropriate PHP script checks if the input is matching the value stored in the database, not other way round, the data is not decrypted upon retrieving it.
I sure hope it's not MD5, since that hash is severely compromised and should never again be used for security.

Let's just wait for an official reaction.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 9th 2013, 12:46 am

Since I can't contact SLGray trough PM I'll just put it here: you locked my topic about HTTPS with "Please do not start multi - topics about the same issue/question." as reason, but HTTPS and password storage are two completely different topics. Please reopen the topic so the two subjects don't get mixed up.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by SLGray on June 9th 2013, 12:50 am

Please don't double/triple post. Your post need to be separated by 24 hours before bumping, replying or adding more information. Please use the edit button instead!
What exactly happened when you tried to send me a pm?


When your topic has been solved, ensure you mark the topic solved.
Never post your email in public.


SLGray
Administrator
Administrator

Male Posts : 36648
Reputation : 2443
Language : English
Location : United States

http://ztwds.forumotion.com/

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by kirk on June 10th 2013, 10:37 am

Is this a problem or a discussion?

@Roob4rb wrote: yet it lists - in plaintext - the password I just submitted for my new account.


It list where in plain text? And what accounts are you talking abaout? joining someones forum account. or creating your own forum account?

Yous are talking about user names and pass being sent to the creation email when a forum is created? Well then just delete the email after you activate the forum.

I dont understand this? Original email address and passwords are stored in forumotions data base so you can log in to the forums utilities if you have to. New passes are sent to creation email addresses when someone forgets them, and a new pass can be sent from the forum for those that may forget their pass (via forgot password link).As far as what is in your email, then that would be your responsibility to remove them from your email along with making sure your email is secure so no one can log in to it to see any passes or any information and or emails one may have.

Unless i am getting mixed up with the whole thing? if thats the case then my apologies, but i dont see what the initial problem is here?

I mean may be this should be posted in the suggestions sections for forumotion to look in to perhaps change how they have things now.But there are many things you register online with and all are sent the same way. so yeah once again i am not following?

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 10th 2013, 11:07 am

@kirk wrote:
It list where in plain text? And what accounts are you talking abaout? joining someones forum account. or creating your own forum account?

When creating my a forum account (for example for this support forum), and when resetting the password.


Yous are talking about user names and pass being sent to the creation email when a forum is created? Well then just delete the email after you activate the forum.

As I explained in a previous post, this is not a real solution to this problem, the problem is sending plaintext passwords trough an unsecure medium (email) without any warning that this will be done. A proper solution would be not including the password in the confirmation mail when creating an account, and using a token when resetting the password so a user can pick his own new password.


I dont understand this? Original email address and passwords are stored in forumotions data base so you can log in to the forums utilities if you have to. New passes are sent to creation email addresses when someone forgets them, and a new pass can be sent from the forum for those that may forget their pass (via forgot password link).As far as what is in your email, then that would be your responsibility to remove them from your email along with making sure your email is secure so no one can log in to it to see any passes or any information and or emails one may have.
I just wonder how this password is stored in forumotions database, since you handle the plaintext password in the scripts that are responsible for sending the confirmation emails.

It shouldn't be the users responsibility to delete a plaintext mail you send out, it should be *your* responsibility to handle my password securely.


Unless i am getting mixed up with the whole thing? if thats the case then my apologies, but i dont see what the initial problem is here?

I mean may be this should be posted in the suggestions sections for forumotion to look in to perhaps change how they have things now.But there are many things you register online with and all are sent the same way. so yeah once again i am not following?

Security is not an easy subject, but I'm just trying to bring to your attention that the way you are handling passwords is definately not secure and could be done much better. So this is both a problem that I'm having now, and a suggestion of doing this better.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by kirk on June 10th 2013, 11:18 am

well like i said feel free to post this in the suggestions section.
Things you register for online such as forum or web hosting send passes in the email with your account information, and then others do not.
Forumotion has had this set up this way since the beginning. There is not much we can do about this here accept to post over in the suggestions section for forumotion to perhaps change in the future.

But yeah is strange how somethings you register for will send info to say click link to activate and log in with user name and pass you used (to create whatever it was registered to),And where other things just send the info = user and pass.

Actually now i think of it, this may be a phpbb thing, i will do a test account from one of my paid phpbb boards and see if it is sent the same way. but phpbb or forumotion aside.There are many other things you register for online to where the information is sent the same way. And once again there are many things that are not. If you feel that unconformable with it then i guess you may just want to pass on using forumotion or any other host or services that may send the information the same way? But other then creating a sugestion post. There is really nothing we can do here about how forumotion have it set up.

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 10th 2013, 5:53 pm

It feels like we're going in a circle here.

There are websites that:
- Don't send you plaintext passwords in the mail (secure)
- Send plaintext passwords in the mail (not secure)

Why do you say 'There is not much we can do about this', it's your website, right? If you deliberately choose not to change this, you are in fact choosing for an insecure way of handling your members' passwords.

It's not 'strange' that sometimes you receive a password when resetting a password and sometimes you don't, it's just the way that the site is built. Again, if you receive a token which allows you to change your password, then a secure design was chosen over an insecure design.

But coming back to my core question: are these passwords stored encrypted, using a secure hashing algorithm + salt?

I would prefer if a developer could answer this, not somebody who has to guess what is being used and only has quasi-technical answers for me Smile

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Sanket on June 10th 2013, 6:44 pm

I will forward this for The Godfather to answer, after you confirm a few things for me.
1)
Are these passwords stored encrypted, using a secure hashing algorithm + salt?
Its a free forum service & we are not bound to answer what we are using. The only thing i can inquire is whether the passwords stored are encrypted or not.

Please be respectful towards a staff member, who was just trying to find a solution to your queries even when he was not aware of the answers 100%.

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 10th 2013, 10:38 pm

I did not mean to be disrespectful, but just wanted to avoid an endless hypothetical discussion about what might or might not be used.

Also, did a part of your post not make it to your final submit? I only see '1)' after you say you want me to confirm a few things.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Sanket on June 11th 2013, 5:55 am

Will you confirm point #1, so that i can ask my next confirmation which is related to it. I thought its better to go 1 by one, since all is a little related.

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 11th 2013, 8:43 am

If you mean if that's still my question, then yes.

The question came up because of the way plaintext passwords are mailed around on account creation and password reset.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Sanket on June 11th 2013, 10:02 am

@Sanket wrote:The only thing i can inquire is whether the passwords stored are encrypted or not.
Thats what I can ask to be clear.


@Roob4rb wrote:"Please do not forget your password as it has been encrypted in our database : we cannot retrieve it for you."
Please post a screenshot of this.

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Roob4rb on June 11th 2013, 2:30 pm

Please post a screenshot of this.
Sure:



Edit: if you're asking anyway, could you also check with him/her about by other topic? (HTTPS connection, http://help.forumotion.com/t124550-why-no-secure-connection-ssl)

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by Sanket on June 11th 2013, 2:42 pm

I have asked The concerned person to respond to whether the passwords are encrypted or not.

Please don't link to your various threads in this thread.

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by kirk on June 11th 2013, 4:16 pm

@Roob4rb wrote:
Why do you say 'There is not much we can do about this', it's your website, right? If you deliberately choose not to change this, you are in fact choosing for an insecure way of handling your members' passwords.


It is not my site i do not own forumotion.I told you before this is more of a phpbb software thing, all phpbb forums send the information the same way as well as invision, and many other services. So i am in fact doing nothing in regards to forumotion developments or how it is set up.I can probably go through my email and find a whole list of services free and paid that all send the information the same way.


I would prefer if a developer could answer this, not somebody who has to guess what is being used and only has quasi-technical answers for me Smile
Well the best thing we can do is try to get a pro-admin to give you an official answer.
Pro-Admin work for forumotion.With the exception of pro-admins, all other staff on forumotion support forums are volunteer.

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

Pro Admin Re: Password stored unencrypted?

Post by LGforum on June 12th 2013, 3:04 pm

I agree with topic starter. This is an issue that should be addressed.

I have no doubt that the passwords are hashed before stored in the database. That's surely obvious. The developers of Forumotion can't call themselves developers if they are storing plaintext passwords...

Given that most people don't use emails securely and aren't configured to receive encrypted emails, the solution I'd say is not to send the password at all.

LGforum
Hyperactive

Male Posts : 2260
Reputation : 258
Language : English
Location : UK

http://www.avacweb.com/

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum