Hi, I just went to the SFD wiki and used the "remind me of my password" thing which sent me a mail containing my user ID but an SHA encrypted version of my password. Surely it should send me my password in the clear? I actually remembered my password so was able to logon, but other users may not be so lucky. Cheers, Al.
Dear Alan, Putting the encrypted password would log you in. You can then change your password and other details. The reason why it's not cleartext is mentioned on the UserPreferences page: "...if someone intercepts the mail, he won't know your REAL password". Best regards, Russell On 5/9/07, Alan Pope <alan@popey.com> wrote:
Hi,
I just went to the SFD wiki and used the "remind me of my password" thing which sent me a mail containing my user ID but an SHA encrypted version of my password.
Surely it should send me my password in the clear?
I actually remembered my password so was able to logon, but other users may not be so lucky.
Cheers, Al.
_______________________________________________ SFD-discuss mailing list SFD-discuss@sf-day.org http://mail.sf-day.org/lists/listinfo/sfd-discuss
On Wed, May 09, 2007 at 05:57:28PM +0600, Russell John wrote:
Dear Alan,
Putting the encrypted password would log you in. You can then change your password and other details. The reason why it's not cleartext is mentioned on the UserPreferences page: "...if someone intercepts the mail, he won't know your REAL password".
How bizzare and completely different from every other wiki i have ever used. Also how is this in any way more secure? If someone intercepts my mail they can logon with my encrypted password in the same way I might, and change my password? It's not a big deal, just odd. Cheers, Al.
Alan Pope skrev: <---snip--->
Also how is this in any way more secure? If someone intercepts my mail they can logon with my encrypted password in the same way I might, and change my password?
It's not a big deal, just odd.
I don't know if its the reason: Some people have a bad password habbit: They use one password for several sites. If someone intercept the message with the password in, only your account on softwarefreedomday.org will be compromised. Also if a eg. a server harvest a e-mails, including the one with your password in it, your account will not be vulnerable after you have updated your password on softwarefreedomday.org. If it is compromised before you update your password you would be aware of it when you try to login to change your password (becaurse you are have to change it). Other than that, i can't se the purpose... :-/ -- Regards Georg Sluyterman njlug.dk, Aalborg, Denmark
On 5/9/07, Georg Sluyterman <georg@thecrew.dk> wrote:
Some people have a bad password habbit: They use one password for several sites. If someone intercept the message with the password in, only your account on softwarefreedomday.org will be compromised.
This reason is enough to generate "encrypted" passwords. Back in school days this was one of my techniques to hijack other people's accounts. ;) - Russell P.S. Any secret service agents on this list?
-- Regards Georg Sluyterman njlug.dk, Aalborg, Denmark
_______________________________________________ SFD-discuss mailing list SFD-discuss@sf-day.org http://mail.sf-day.org/lists/listinfo/sfd-discuss
participants (3)
-
Alan Pope -
Georg Sluyterman -
Russell John