Post a reply :: Support Forum

Username
Subject
Message body
Options

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.


(max 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)
Options
 

Topic review

Author Message
DigNative
Post
That's good to hear, thank you.
martin
Thanks for your suggestions.

- We have removed password from registration email
- We are planning to use HTTPS for forum authentication
- We are not storing (never were) plain text passwords on our server
DigNative
Hi,

during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

  1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
  2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.

Search

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License