Forum sends password in plain text over email

[askmike]

After forgetting my password I was able to reset it using the I forgot my password button. This way I received an email that contained my password in plain text.

The problem is that sending passwords in plain text is considered a very bad practise and is not secure at all (some info here). Most websites use a strategy of sending you a temporary link that allows you to set a new password (PGP could also be used, which is more in the spirit of crypto).

[arnoudk]

You don't get your old password sent to you by email... but it sends a newly generated password. I tried it a few days ago, and I got the following email.

Hello arnoudk

You are receiving this notification because you have (or someone pretending
to be you has) requested a new password be sent for your account on "The
Bitcoin Forum". If you did not request this notification then please ignore
it, if you keep receiving it please contact the board administrator.

To use the new password you need to activate it. To do this click the link
provided below.

Code: Select all

https://forum.bitcoin.com/ucp.php?mode=activate&u=<<link altered>>

If successful you will be able to login using the following password:

Password: <<password removed>>

You can of course change this password yourself via the profile page. If
you have any difficulties please contact the board administrator.

Thanks, The Management

The password is not active, until you click the link. Until that time, the old password remains in effect. You should change this password immediately, as the email suggests.

I think this could be improved upon by having two items: a password chosen over https and an activation code presented by email. And you'd need both to be able to reset anything.

[DOGed]

The process to reset your password is virtually the same as it is on most other sites, at least from a security point of view.

When you reset your password on most other websites, you will generally receive a link to click on that directs you to a page that allows you to choose a new password. This link is essentially your new password.

I would certainly say that something like PGP encryption for emails from the forum would be very nice, however I do not know what it would take to get something like that implemented. I know of only two sites that offer this, bitfinex and Facebook and the former does not even work with all emails that you should receive, resulting in you outright not receiving some specific types of emails.

[askmike]

The password is not active, until you click the link.

Anyone with access to that email before you clicked the link can click the link. Anyone with access after you clicked has a potential password to your account.

You should change this password immediately, as the email suggests.

The email doesn't suggest this at all, it says you are able to. I didn't because all my password management software already stored this one now (if you don't make it mandatory people most probably won't do it).

The process to reset your password is virtually the same as it is on most other sites, at least from a security point of view.

When you reset your password on most other websites, you will generally receive a link to click on that directs you to a page that allows you to choose a new password. This link is essentially your new password.

The normal process involves sending a link that allows you to change your password, it never sends passwords.

[BitcoinXio]

Everyone has good feedback here. arnoudk's description is the most accurate, as the email is sent with a new password and password activation link. If you don't click the link then your password won't be reset. Also as arnoudk said, you should immediately change your password after you login to something you can remember and use.

For improvements, I think ideally the password shouldn't be sent in the email at all. It should be a hyperlink to reset your password on the page on the site. It's important that you have your own security on your email setup with two-factor authentication (2FA) to avoid any sort of attacker accessing your email. If they had access, they could still click the link and reset the password on the site. But at least without providing the password in the email, it can't be intercepted in transit (which again won't matter much if the link isn't clicked in the email).

Google has a good intro to 2FA if you don't currently use it. If you don't, I highly suggest you start doing so.

https://www.google.com/landing/2step/

[arnoudk]

The forum security is, of course, only as good as it's weakest link. If the email account is compromised then an attacker will always have the ability to reset (unless 2FA is properly set up).

For a bitcoin forum, I think the following would be workable:

In the reset password page, require that the requestor sign a message using their bitcoin address from their profile. The website must construct this message, and could be as simple as "password reset request for forum.bitcoin.com for user arnoudk. Requested by IP 123.321.123.321 at date and time". The cryptographic signature of exactly this message must be valid. The forum already has the bitcoin address field against which to validate. Only then will an email with reset link be sent. To actually change the password you could sign another message ie "password reset request with activation code ANHGUYFGHKGFDETHHHDUSH for forum.bitcoin.com for user arnoudk".

The first check prevents all unauthorised requests to reset a password. The second prevents a man in the middle attack vector.

A seperatie process should exist for users who have forgotten their password AND lost access to their keys. But that could be majorly inconvenient and slow. Such as asking the client to put x amount of bitcoin in escrow and then sending a random amount of warning emails to the user's email address at random times of the day for at least 1 or 2 months before the password may be reset.

[DOGed]

The normal process involves sending a link that allows you to change your password, it never sends passwords.

I think this is one and the same. If someone has access to your plaintext emails then either way they would have access to your account.

[creationlayer]

Generally for reset, a token must be sent. The token does not have to be a password, but still allows the person clicking to reset the password. You may notice this with say twitter password reset. It is a link with a variety of characters following it. This is the token.

Either way, the person has access to resetting password. I would strongly recommend you use 2fa when available. There is no perfect solution besides using PGP. The downside with this system is you need to change your password ASAP.

If we can improve the process, the main developer will look into it.

Thank you for your suggestion

[askmike]

2FA only helps in preventing people to break in in your email account.

I am not feeling I am getting my point across in this discussion about 2FA and "you should change your password anyway":

Let me put it this way: I am system developer, I would never design password reset functionality that ends up sending a password in plain text, as this is considered extremely bad practise (and I will likely get fired). Why it is considered bad practise:

- Email is extremely insecure protocol. The email is very likely going in plain text over the internet (and no 2FA is going to stop that).
- Most local email clients (outlook, thunderbird, etc) do not encrypt emails locally, which means everyone who gets access to your machine has your password.
- In order for a system to mail the password, the password is touching a lot of different moving parts of the system which can all be compromised (the email sending module, the email daemon / SMTP server sending the actual email. I would not be surprised of all those emails are cached somewhere as well (are you resending in case of bounce, or just fire and forget?).
- Sending an email with a temporary token offers even better UX since the user can immediately enter a new password him/her self.
- Saying people should be using 2FA severely limits how one might use email, for all practical purposes this only works for email hosted in the cloud. (Are we talking about security at all?)

For a bitcoin forum, I think the following would be workable:

In the reset password page, require that the requestor sign a message using their bitcoin address from their profile. The website must construct this message, and could be as simple as "password reset request for forum.bitcoin.com for user arnoudk. Requested by IP 123.321.123.321 at date and time". The cryptographic signature of exactly this message must be valid. The forum already has the bitcoin address field against which to validate. Only then will an email with reset link be sent. To actually change the password you could sign another message ie "password reset request with activation code ANHGUYFGHKGFDETHHHDUSH for forum.bitcoin.com for user arnoudk".

I think this forum is meant to be a starting point for Bitcoin. Which means that these more complex procedures could not be completed by the average user. Also what if users have not filled in a bitcoin address (like me), or one from an online wallet provider?

A seperatie process should exist for users who have forgotten their password AND lost access to their keys.

I think normally this would mean you lose your account, same goes for your bitcoin.

EDIT:

for all the people who don't believe me: check out this random pdf I found after 12 seconds of googling:

https://securabit.com/wp-content/upload ... t_v5-1.pdf

EDIT 2:

I think this is one and the same. If someone has access to your plaintext emails then either way they would have access to your account.

No because:

- If the attacker changes the password before you, you can't do it anymore since the token is invalidated.
- If you change it before an attacker he can't do anything because the token is invalidated.

In the first case, you know your account is compromised.