Fix insecure phpBB forum password in Welcome e-mail

[digitalkumara]

Hi RunRev

As you are no doubt aware, the welcome e-mail message sent to new forum users after registration includes the password the user entered in clear text. Would it be possible to remove the password from the message? Sending a clear-text password across unencrypted e-mail is something that I think should be avoided where possible.

Furthermore, how is it that the password the user enters on the forum registration webpage can be stored in such a way that it is possible to retrieve the clear-text password? Shouldn't there be some kind of secure hash that gets stored instead? Preferably one not readily converted back to the clear-text password without some considerable computational effort.

If there are limitations in the current version of phpBB then I request that a clear and obvious note is added to the sign-up page to inform users how their password is stored, especially if it is not as per (practicable) best practice security. Had I known this I would have used a different password altogether :)

[Simon]

Hi digitalkumara,
Welcome to the forum!
You can change your password in your user control panel. As for security this is only a forum, not really the place to store confidential information.

Simon

[digitalkumara]

Hi Simon, I know where I can change my password and completely agree that a forum is not the place to store passwords. It looks like you may not have understood my message and the feature request I asked for, namely: alerting users on the sign up page that their password is not stored securely OR ensuring that RunRev doesn't use an insecure method to capture passwords and not including the clear text password in the initial welcome message that is e-mailed to new users when they register for the forum.

Thanks for the welcome
Christopher

[Simon]

Hi Christopher,
Sorry, did not notice this was posted in the Feature Requests forum.
Oh, I think I see the problem, you've used your initial password somewhere else like your bank account and seeing it in clear text started you worrying. Ok, now that would annoy me.
Otherwise it's just a forum password, not much someone can do here except possibly answer posts for me.

Simon

[digitalkumara]

Thanks for the follow-up. Luckily I don't use the same password on different sites (especially not banking!) but I would have used a different base algorithm when creating a forum password if I knew it wasn't 100% secure.

I guess it's a limitation of phpBB. I'll live with it but it would be nice if the registration page made some mention of it - although I'll accept that RunRev probably won't want to do this for fear of scaring people off. Maybe just don't include the password in the e-mail message at all? I'll assume this will be logged as a low priority request and will let you return to your regular LiveCode programming