Is this secure enough?

Comment by Erik Roznbeker on March 8, 2010 at 6:11am

I don't think this is mayor security issue because it is standard used by almost everyone. Also admins on servers have more easier ways of hacking user accounts than checking registration e-mails.

Comment by Ivo Apostolov on March 8, 2010 at 6:15am

Erik, the idea is not to hack the user account. Any site admin could easily change his/her password.
The idea is that the password is displayed in pure text, which is not acceptable IMO.

Comment by Ajmal Afif on March 8, 2010 at 6:52am

I fully understand and share the sentiment. From security perspective and that alone, when superman or superadmin could see password in plain text is not favorable. I could imagine lotsa lotsa of bad consequences out of this flaw. One of the obvious would be that any other email with the same password (simply imagine the user's gmail account or facebook or ATAAW?!!). If it wouldn't be considered for 1.5, lets hope that it will at least "fixed" in 1.6.

ps: Another thing I wrote on suggestion thread for Joomla 1.6 @ joomla.org forum regarding security was for end users to key in old or existing passwords in order to renew their passwords on front-end (or more accurately, user account panel). Arguably you can say this is the standard security with other cms or web engine (like forums etc.).

One first-hand experience I had with that issue was, I had this recreational site once made for my dorm/college mates (college students) who played pranks on each other by messing up each other passwords on each others' laptops (which in their case most of them had "Remember Me" on the site if not on browsers or keychains, just so they don't have to enter username and password ever again.)

Comment by Phil Taylor on March 8, 2010 at 7:57am

I believe this is bad practice and should be changed.

Comment by Ivo Apostolov on March 8, 2010 at 11:19am

The issue is that really a lot of users use one and the same password for many web sites, so having this, it directly provides opportunity to people who are willing to obtain passwords of end users. Imagine the user having the same password for PayPal or other similar sites?

Comment by Ajmal Afif on March 8, 2010 at 11:32am

Couldn't agree with you more. Like engineers always prioritize, "Safety First".

Comment by Manoel J. Silva on March 8, 2010 at 11:39am

"Is this secure enough?"

No, it is not as secure as it should be!

Comment by Ivo Apostolov on March 8, 2010 at 11:48am

What worries me is that this was not challenged enough for almost 5 years and 32 versions.
It is also worrying that very serious 3PD apply the very same style

Comment by Joe LeBlanc on March 8, 2010 at 1:57pm

A while back, I remember talking with a co-worker about applications that store passwords in the database, citing how insecure they were. Then he signed up for an account on our site and it sent him the email with his password in plain text. Yeah, I had to eat that one ;)

And I agree, even though we do encrypt the password before sending it to the DB, we shouldn't be emailing out the password in plain text ever!

Comment by Ajmal Afif on March 9, 2010 at 1:54am

Usually in Joomla world we'll see alternatives or workarounds (or unfavorably hacks), but I don't know if we have that for this. Scaryy~

Comment

• ‹ Previous
• 1
• 2
• Next ›
• Page