That's good to hear, thank you.

Thanks for your suggestions.

– We have removed password from registration email
– We are planning to use HTTPS for forum authentication
– We are not storing (never were) plain text passwords on our server

Hi,

during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
   
2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.
   

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.