I recieved my username and password in an email when I signed up.

This is bad news bears for a variety of reasons and I'm not sure if the admin can control it or if that's something squarely on the shoulders of whatever company runs this forum's server. Either way this is a huge security risk.

This is pretty standard when you sign up for just about anything on the internet. Don't use shared email addresses.

Isn't it usually just the username that gets sent to you though? That way you can look up your username in your email and then use the password reset feature. I too thought it was odd the password was sent. But I didn't think too much of it because its not like i used my most secure password for this forum.

No, usually it's both. But it wouldn't matter anyhow, since anyone with access to the email could use whatever password retrieval process was in place with nothing but your email address and username.

This is simple, really. If other people have access to your email, NOTHING associated with that email is secure. Don't share your email.

I don't have access to the control panel, so I don't know if it is something we can control. It is quite possibly something that forumotion implemented.

Was this on the initial email you got when signing up or is it an email after your account has been confirmed? I didn't get it my username and password when i signed up, but that was a while ago and it could have changed since then. I could see it being an issue if you registered the wrong email adress and the email to confirm the account was sent there with username and password. Could you clarify if you were a full member when you got the email?

Cheers

I will have a look tonight, I didn't think it did this either, but it's been ........ 5 years

People having access to my email is not the security risk and the fact that was what you assumed it was means you don't understand why this is a problem. Most servers do not store passwords, they store encrypted bits that, when a password is entered into the login page, are deciphered as a TRUE or FALSE statement. By sending someone their password in their email this means 3 things:

1: The recipient's email server and/or client is now a security vulnerability as that password is now stored in plain text format there.

2: The sender's email server as well as the client the sender used also have the password stored in plain text format. This is beyond the control of the end user and cannot be deleted except by a network administrator.

3: The website host's server has the password stored in plain text format.

All of these passwords are also associated with the username. Most people use the same password on multiple accounts meaning ANY accounts with this password are immediately compromised as scraping plain text stored on a vulnerable server is one of the easiest ways to hack a system. Once again, I could keep my email account secure and still be vulnerable because my email client server, the host's email client server, and the forum server all have my username and account stored in plain text format. This is the digital equivalent of keeping the spare key to your house in an unlocked neighbor's home.

TeenageAngst wrote:

People having access to my email is not the security risk and the fact that was what you assumed it was means you don't understand why this is a problem. Most servers do not store passwords, they store encrypted bits that, when a password is entered into the login page, are deciphered as a TRUE or FALSE statement. By sending someone their password in their email this means 3 things:

1: The recipient's email server and/or client is now a security vulnerability as that password is now stored in plain text format there.

2: The sender's email server as well as the client the sender used also have the password stored in plain text format. This is beyond the control of the end user and cannot be deleted except by a network administrator.

3: The website host's server has the password stored in plain text format.

All of these passwords are also associated with the username. Most people use the same password on multiple accounts meaning ANY accounts with this password are immediately compromised as scraping plain text stored on a vulnerable server is one of the easiest ways to hack a system. Once again, I could keep my email account secure and still be vulnerable because my email client server, the host's email client server, and the forum server all have my username and account stored in plain text format. This is the digital equivalent of keeping the spare key to your house in an unlocked neighbor's home.

edit: "Was this on the initial email you got when signing up or is it an email after your account has been confirmed? I didn't get it my username and password when i signed up, but that was a while ago and it could have changed since then. I could see it being an issue if you registered the wrong email adress and the email to confirm the account was sent there with username and password. Could you clarify if you were a full member when you got the email?"

It was in the email I was sent when I signed up.