I like NoScript. I've been using it for a while (2 yrs-ish). I trust you people.
Thus, I was shocked to see that my user name and password used on the forum registration was sent back in clear text as part of my activation email. This is very bad. Please correct this, either by stopping such practice, or (at least) warning the registrant that their info can easily be sniffed (thus they could / should use an initial password that they can change immediately after registration is activated).
Even though I used a generic "for web account management only" email and connected to it via a secure HTTPS channel, unless your outbound email is secure (and the intermediate email service is not compromised) my information is at risk. Fortunately, I used a "low security" username and password (easy for me to remember, reused on many sites, not a major concern if such credentials leak). Never the less, I don't like the vulnerability and - more importantly - other forum registrants might could easily be at more risk.
Please fix this.
Forum registration itself violates security
Forum registration itself violates security
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Forum registration itself violates security
There's no point at securing the password confirmation email messages, since the forum website itself is not HTTPS-secured and therefore each login could be sniffed.
Of course you shouldn't use the same password everywhere, and forum passwords should be considered absolutely throw-away.
Of course you shouldn't use the same password everywhere, and forum passwords should be considered absolutely throw-away.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)