[SMS]

neildaemond · Junior Member Joined: 27 May 2011 Posts: 2

When I signed up for this forum, the username and password were sent back to me in the confirmation email.

It is really bad practice to do this as anyone listening can see whats in the email.

If users use these passwords for other things (which is common), this becomes a security breach for other sites as well.

gerasimos_h · Posted: Sun Jun 19, 2011 10:39 am Post subject:

That's the normal behavior of phpBB2, and beside that, login details comes to your email, where you only have access.
Now if someone hack your email, he could retrieve the data quite easily from any board, and that's the weak point.
It's not wise to use the same password, for all sites, especially if that's a support forum with no private data of any kind.
I have in mind upgrading to phpBB3, I already found a style (need some tweaks), make a test upgrade, but it's not my top priority.

Thank you for your concern on this forum's security, I disable text password in welcome mail.

gerasimos_h

neildaemond · Junior Member Joined: 27 May 2011 Posts: 2

Yeah, its always a bad idea to use the same password for different things. I don't, but its a common mistake people make.

I think you can agree too that a user's password should never be seen in plain text, anywhere. Its good you removed it, and are looking into the new phpBB~

keep up the good work with this distro~!