Topic "Enhancement of Forum Security"

Author Message
[View user's profile]

Joined: 2014-06-01
Posts: 4

during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

  1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
  2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 27059
Location: Prague, Czechia
Thanks for your suggestions.

- We have removed password from registration email
- We are planning to use HTTPS for forum authentication
- We are not storing (never were) plain text passwords on our server
[View user's profile]

Joined: 2014-06-01
Posts: 4
That's good to hear, thank you.

You can post new topics in this forum


What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!


About donations

$9   $19   $49   $99

About donations


WinSCP Privacy Policy

WinSCP License