Security Issue - Displaying Password in Email

Technical Details

Forum version : #phpBB3
Position : Founder
Concerned browser(s) : , Mozilla Firefox, Google Chrome, Internet Explorer, Opera, Safari, Other
Who the problem concerns : All members
Forum link : Https://origincrypto.forumotion.com

Description of problem

Hello, I am setting up a forum for a crypto currency to answer technical issues. However, upon creation sign ups on the site emails the users their passwords. This is a major security risk and my clients do not want to sign up risking their data.

Is there any way I can disable this? If not I may ask for a refund as I purchased credits yesterday, a few hours before my development team notified me of the security risk.

Thanks in advance!

Hello,

The short answer to that is no it can not be changed. This is set up serverside and is not changeable.

I dont exactly see how this would be a security risk, unless the persons email is already hacked into or something, no one else would see the password and the person could simply delete the email immediatelly after it is read.

Anyway, sorry there is no way to change this.

-Brandon

If my client has their email stolen and they forgot to delete the message their account will be completely compromised do to the forums link, login username and password all being included within one message. I would say that is a security issue.

It is international standard to always encrypt at least the password as soon as entered.

If there is no way to change it locally, I highly suggest It to be changed server side.

It is encrypted on our system. That is the only time it ever displayed and only in that one email. It can not be retrieved any other way, not by an admin, not by the user, not even by our team in the head office.

This is the way things have been done since day 1 I believe and I dont know if there is any plans to change this or not. I am just a volunteer and do not work for head office, so I really couldnt tell you much more on this.

Once again, I am sorry, but it is not possible to change by the admin of the forum at this time.

-Brandon

After the members log in to the forum, they can change their information.

I have marked this as solved, thank you for taking the time to reply. I will forward this to my security team for them to review, appreciate the help!