Password reset increased security

I would love 2 see the password reset not sending the passwords in clear-text, instead build in a function where user gets mail to SSL web page (my previous feature request :) that has a temporary life length where the user can submit their new password.

-You guys rocks

K

I was very disappointed when I just click forgot password and I got my password sent to me. I am surprised to see sites are still getting away with that.

Thanks for telling us what you think. There is a reason why we are so "lazy" about this. Sofar Nabble has been only a public forum, in your user account there is nothing of significant value. And your account is not like a Google email account which ties to their other services. There are many high priority things that have been asked by more users, and we have only limited man power, so we just prioritize it lower. One feature that has been asked by many users is the private forum feature. We will release this soon. After that, then I think it's more important to have the password more secure because private discussion needs protection. So, we probably will do the password thing after that. Does this make sense?

I certainly appreciate a response, even if its not exactly what I value as a good response. If the developers are unaware of the issues surrounding the storage of plain text passwords in a database, then that's one thing, but if the designers and developers do understand the security risks of maintaining clear text passwords and were too lazy to implement a secure method of storing passwords, then there is not really any good excuse for this.

When you send plain text passwords via an email, they are interceptable. That's not good. But even worse, that indicates that the passwords are stored in plain text in your database too. The passwords should have been hashed when they were created and the hashed value is what should have been stored.

The good news is that its not too late for you to fix this oversight. Please read more about the issue and the solution as this one of many posts that I just Googled: http://www.aspheute.com/english/20040105.asp

I would like to add my two cents worth:
Transmitting passwords in clear-text is not considered a sound design practice in my neck of the woods.

In addition to the password reset case cited by Kerim Sidia, I've noticed two other instances when this happens:

1. When you register, and somethings go wrong (e.g. you get the CAPTCHA wrong), the passwords are returned in clear-text as arguments named "password1" and "password2" as part of the HTML (just do "view source" to inspect the HTML).
2. When you try to login and mistype your email address, the same thing happens.

Fortunately, the most blatant problem with these two instances is simple to fix: Just do not embed clear-text passwords in the HTML-returned. There is no reason to have it there. The user should know the right password, so he or she should fill in those fields themselves.

In addition: Like Kerim Sidia, I think that any page transferring passwords should be encrypted using SSL. It is true that Nabble itself (being a message board) may not be very sensitive (although with private forums, sensitivity is higher than with public forums). However, users that are active online are not rememberering hundereds of different passwords. Many users re-use passwords, and some use the same password for their Nabble account and for more sensitive accounts such as their bank or PayPal. While this is stupid on part of the user, it happens, and I think a first class service provider should take some measures to protect even stupid users against themselves.

HTTP is not a secure protocol. We know there are sniffers out there that watch for HTML with the string "password" embedded. Nabble's current design makes it trivial to steal passwords by means of such a sniffer.

If you choose not to fix this, on grounds that Nabble is not a sensitive service, there should at least be a warning on the registration page, alerting the user about the danger of re-using passwords. E.g.: "WARNING: Nabble do not treat your password securely. Please do not use a password that you might use for your bank account, Paypal or other important accounts."

Hi Will,

I have just established a private forum on Nabble, but was quite surprised to see in the Help section that passwords are still not encrypted as would be expected (and as your post above concurs with).  Can we please have an ETA on when password encryption will come online?

Kind regards,
Eric

We still need a few months to implement https security.

To Hugo: thanks, I look forward to it.

To other readers of this topic: <http://n2.nabble.com/-tp2306610p2517314.html> places security and encryption amongst my top five wishes.

Whilst the absence of https may be surprising to newcomers, people (like me) who have used Nabble for years — for entirely public activities — appreciate that new/incoming features may be delivered in relatively basic ways whilst improvements are made across the board :-)