Hello,
Have just upgraded to 18.12 from 18.11 and noticed that on registration, you can set the options to "Send Random Password" which although successfully sends the email through to the user, does not function on entry of your forum to enable the user to change it.
It returns a VERY long alphanumeric string but as I say, this no longer works on 18.12. It definitely worked on 18.11 as due to security, it is a feature I have always happily used.
Pete
Please don't use this feature. It's honestly ridiculous that it's still in the core. By using it, you're putting your user's plaintext password in an email inbox where it may be stored indefinitely, read by the email provider or anyone in the middle, etc.
Make your users set a decent password that they keep in their brain or in a physical location that some random internet script kiddie isn't going to be able to access from their computer. Or, better yet, stored in a reputable password manager.
Hello,
(2017-05-22, 10:26 PM)PeteSa Wrote: [ -> ]Hello,
Have just upgraded to 18.12 from 18.11 and noticed that on registration, you can set the options to "Send Random Password" which although successfully sends the email through to the user, does not function on entry of your forum to enable the user to change it.
It returns a VERY long alphanumeric string but as I say, this no longer works on 18.12. It definitely worked on 18.11 as due to security, it is a feature I have always happily used.
Pete
Same here.
(2017-05-22, 11:12 PM)Josh H. Wrote: [ -> ]Please don't use this feature. It's honestly ridiculous that it's still in the core. By using it, you're putting your user's plaintext password in an email inbox where it may be stored indefinitely, read by the email provider or anyone in the middle, etc.
Make your users set a decent password that they keep in their brain or in a physical location that some random internet script kiddie isn't going to be able to access from their computer. Or, better yet, stored in a reputable password manager.
You can easily change the password evertime you want...
I hope this feature will be fixed soon.
(2017-06-12, 01:23 PM)user001 Wrote: [ -> ]Josh H.Please don't use this feature. It's honestly ridiculous that it's still in the core. By using it, you're putting your user's plaintext password in an email inbox where it may be stored indefinitely, read by the email provider or anyone in the middle, etc.
[quote pid='1274407' dateline='1495494770']
Make your users set a decent password that they keep in their brain or in a physical location that some random internet script kiddie isn't going to be able to access from their computer. Or, better yet, stored in a reputable password manager.
You can easily change the password evertime you want...
I hope this feature will be fixed soon.
[/quote]
Many people don't though, and there's no telling how long that email could sit unread in their inbox. Or even if they read it and don't immediately change their password someone with access to their email could hijack the account. Additionally if the password generated is weak the user then has a weak password guarding their account that was sent to them in cleartext via email; not a secure solution by any means.
Hello,
The original mail you get:
------------------------------------------------------
xxx,
Thank you for registering on checkmybb. Below is your username and the randomly generated password. To login to checkmybb, you will need these details.
Username: xxx
Password: d69c9cfc98e971f53087a72fab7cfb04
It is recommended you change your password immediately after you login. You can do this by going to your User CP then clicking Change Password on the left menu.
Thank you,
checkmybb Staff
------------------------------------------------------