Forums

WordPress › Support » How-To and Troubleshooting

Security of passwords? (18 posts)

  1. caboosesw
    Member
    Posted 9 months ago #

    I am a new WordPress user and honestly am not trying to stir up trouble.

    I purchased a premium theme ... and went to get support from the provider by creating an account on his forum ... with a userid and password.

    I was then emailed my EXACT password in PLAIN TEXT.

    He had a rather disinterested approach and said "if this is insecure then every WordPress site would be insecure."

    So I came here and created an account and see that I get an automatically generated password again emailed in PLAIN TEXT.

    NOT TRYING TO START A FLAME WAR ... but am I missing something here?

    I first want to find out why the first forum manager had the ability to email my ORIGINAL password to me and if that password is stored anywhere unencrypted or with weak encryption.

    Second, why generate a password and email it in plain text? Not that emails are regularly intercepted ... but it allows someone to possibly hop on a computer and check for emails with "password" in it etc.

  2. theotherlebowski
    Member
    Posted 9 months ago #

    the contents of the email you received weren't sent as plain text; emails are encrypted at the senders end and decrypted at the receivers end.

  3. caboosesw
    Member
    Posted 9 months ago #

    @TheDude :) That is the first I have heard of that ... would like to see a link ... but regardless the password is then STORED on the client email side unencrypted upon display ... certainly not a best practice

    Yes, the user can AND SHOULD then delete the email immediately ... I am more interested WHY this is the process vs. just letting the user choose their password and store it in a secured hash

  4. theotherlebowski
    Member
    Posted 9 months ago #

    i hate to revert to wikipedia but here you go

  5. Seacoast Web Design
    Member
    Posted 9 months ago #

    If one has access to the MySQL database, passwords can be extracted. The password and database information are in the wp-config.php file so FTP or host account access will gain this data.

  6. ClaytonJames
    Member
    Posted 9 months ago #

    @Seacoast Web Design

    If I interpret it correctly, the topic is more about concerns with email communications, rather than the WordPress database.

    @theotherlebowski

    the contents of the email you received weren't sent as plain text; emails are encrypted at the senders end and decrypted at the receivers end.

    I'm not sure I agree with the absolute nature of your statement. Are there not still very notable ISP's who by default, do not offer an SSL connection option to their mail servers from an e-mail client? Isn't that considered a plain text communication?

  7. Seacoast Web Design
    Member
    Posted 9 months ago #

    I first want to find out why the first forum manager had the ability to email my ORIGINAL password to me and if that password is stored anywhere unencrypted or with weak encryption.

    @Clayton, they asked how one found the password...I responded.

  8. theotherlebowski
    Member
    Posted 9 months ago #

    i'd say that most are encrypted/decrypted aren't they? surely if they want a good reputation for secure transmission they would take steps to limit the chances of interception?

  9. ClaytonJames
    Member
    Posted 9 months ago #

    @Seacoast Web Design

    they asked how one found the password.

    No they didn't. It doesn't matter, I'm just wondering aloud if you're on the same page as the OP. I may be wrong, but I think the OP was referring to the password sent to him/her by the support forum where the theme was purchased, and this forum, rather than the information stored in his WordPress database. I could be wrong... Happens a lot lately! :-)

    @theotherlebowski

    I certainly agree with that statement; they all should.

    I'm using a HUGE provider that offers no secure options over SMTP or POP. Secure web-based access only. Really ticks me off.

  10. Seacoast Web Design
    Member
    Posted 9 months ago #

    Um, the password is then stored in the MySQL DB...which I will now repeat:

    If one has access to the MySQL database, passwords can be extracted. The password and database information are in the wp-config.php file so FTP or host account access will gain this data.

  11. ClaytonJames
    Member
    Posted 9 months ago #

    Not to kick a dying dog, but I don't think I understand. What does that have to do with transmitting forum passwords in plain text in an email communication?

    What password exactly is it that you're referring to? @caboosesw's password for his/her WordPress site?

    I interpreted the topic to be one of concern over the fact that the OP received passwords for two separate forums, by what is being perceived as plain text communications in an email client. If I'm misinterpreting what I'm reading, then apologies all 'round, and perhaps I should consider sleeping at some point this week.. Haha!! :-)

  12. Seacoast Web Design
    Member
    Posted 9 months ago #

    I interpret it as how did one know the password?

  13. fonglh
    Member
    Posted 9 months ago #

    There's nothing surprising about forum software being able to generate a password and send an email in plaintext. Whether it then stores that plaintext password depends on the forum software. Passwords should not be stored in plaintext.

    After you get that plaintext password, it is YOUR responsibility to change it. This is no different from the few minutes a WordPress site can be 'hijacked' by someone else before the owner has gone through the installation procedure.

    For WordPress sites, passwords in the database are stored as hashes. They are not encrypted. Encryption is meant to be reversible with the proper key, hashes are not. So while Seacoast is right that passwords can be extracted from WordPress sites, it is not a trivial process to obtain the corresponding plaintext.

    WordPress hashes passwords with the PHPass library. You can read more about it at http://www.openwall.com/phpass/

    tl;dr
    Change your password after you get it by email.

  14. Seacoast Web Design
    Member
    Posted 9 months ago #

    I strongly agree with fonglh.

  15. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 9 months ago #

    Edit: I've re-read and got the topic off slightly. Your discussing other forum's password resets. Well, mine is a good reply anyways. :D

    the contents of the email you received weren't sent as plain text; emails are encrypted at the senders end and decrypted at the receivers end.

    Side note that's not really pertinent to this conversation: Not all SMTP mail relays support TLS (encryption). Never count on email to be secure by itself. You can secure retrieval between you and the SMTP relay and your POP3/IMAP4 server but once the email is sent past that, it's out of your hands and may not be encrypted in transmission.

    Back to the topic at hand and for WordPress password on your self hosted installation: The email is only part of the password reset process. A new password is not sent, instead a URL is sent with a key.

    The password reset URL works once. Any second use (after the password is reset) will get you

    Sorry, that key does not appear to be valid.

    Which will let you know that someone got there before you did. If that happens then they've got access to your email. Don't worry about WordPress password resets, you've bigger problems. ;)

    Passwords are stored in the mysql database using a one way hash. Passwords go in but they can't come out. When you submit your password, it get's hashed and the hash is compared with what's in the DB.

    And as mentioned above if the hacker has access to your file system (wp-config.php) user passwords really isn't a problem either.

  16. caboosesw
    Member
    Posted 9 months ago #

    I agree that a system that sends a one time password -- hashes that password -- sends the password to a user -- requests the user to change the password upon login -- is relatively acceptable.

    What I was trying to say was the forum in question ASKED for me to set a password ... and then sent me a CONFIRMING EMAIL with THAT PASSWORD in plain text ... which led me to question whether the default behavior in WordPress is to store encrypted or plain text (as in NOT HASHED) passwords.

    TL;DR it looks like WordPress is fine but this other forum is sketchy

  17. ClaytonJames
    Member
    Posted 9 months ago #

    @Jan Dembowski

    Well, mine is a good reply anyways. :D

    Yes sir, yes it is.

    @caboosesw

    We've got our eye on you, troublemaker... Just kidding, of course. This is an excellent topic. Welcome to the forums!

    :-)

  18. Seacoast Web Design
    Member
    Posted 9 months ago #

    So we agree to change said password right away as do all security folks?

Reply

You must log in to post.

About this Topic

Tags