Cleartext passwords?
Posted by vandys
Cleartext passwords? February 07, 2022 05:32PM |
Registered: 2 years ago Posts: 3 |
Is there a way to have the phorum operate with cleartext user passwords? I have a _very_ non-technical user base, and I need to have to be able to email them a monthly reminder of the phorum URL, their account name, and password.
You don't need to lecture me about database safety, password hashes, salts, password reset emails, all that. I understand. But security doesn't matter if there's no user base, and that's where I'm at. So is there any low-resistance path to have passwords stored such that I can run a script to pull out accounts and email reminders?
Note, I'm happy writing the script. I just need the saved password to be clear, not a crypto hash of any sort.
Thanks!
Andy Valencia
You don't need to lecture me about database safety, password hashes, salts, password reset emails, all that. I understand. But security doesn't matter if there's no user base, and that's where I'm at. So is there any low-resistance path to have passwords stored such that I can run a script to pull out accounts and email reminders?
Note, I'm happy writing the script. I just need the saved password to be clear, not a crypto hash of any sort.
Thanks!
Andy Valencia
Re: Cleartext passwords? February 07, 2022 06:34PM |
Admin Registered: 18 years ago Posts: 566 |
One place to look.
Passwords are only stored using a hash. They are sent from the user using clear text (as best I remember).
If you use logging, and there is a failure to log in, there is an option to show the password used (in clear text).
Don't remember if it shows a password on success.
Second place to look.
The 'register" script. Grab the password before it is hashed on the server. Store it in another/added column in the table.
The hardest part is locating the pertinent parts of the script.
Third...
Something to try on a test phorum, not a live one. Change/empty the salt in the admin and see what happens.
As far as security goes:) have them repeat the their password if it is short, until it is longer than xx characters.
There is an ability to change the password in the user profile, you will need to handle it, or disable it.
Passwords are only stored using a hash. They are sent from the user using clear text (as best I remember).
If you use logging, and there is a failure to log in, there is an option to show the password used (in clear text).
Don't remember if it shows a password on success.
Second place to look.
The 'register" script. Grab the password before it is hashed on the server. Store it in another/added column in the table.
The hardest part is locating the pertinent parts of the script.
Third...
Something to try on a test phorum, not a live one. Change/empty the salt in the admin and see what happens.
As far as security goes:) have them repeat the their password if it is short, until it is longer than xx characters.
There is an ability to change the password in the user profile, you will need to handle it, or disable it.
Sorry, only registered users may post in this forum.