Post a reply

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)


Topic review


That's good to hear, thank you.

Re: Enhancement of Forum Security

Thanks for your suggestions.

- We have removed password from registration email
- We are planning to use HTTPS for forum authentication
- We are not storing (never were) plain text passwords on our server

Enhancement of Forum Security


during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

  1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
  2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.