Hi

I just registered for the forum and noticed my password was included in clear text in the activation email.

I don't like having my passwords sent in clear over email and it makes me wonder - does the Houdini Forum save all of our passwords unhashed in their database?

Given the number of websites and forums that have had their databases leaked/hacked, this seems like a bit of a security flaw to me.

So make sure you don't use your Houdini Forum passwords anywhere else, just in case.

vilhelmo
I just registered for the forum and noticed my password was included in clear text in the activation email.

Yeah, that's not good. I'll see if there's something simple we can do to fix that.

does the Houdini Forum save all of our passwords unhashed in their database?

It seems that the passwords are all saved hashed in the database. The activation email is sent immediately, before throwing away the plaintext copy, which is why it has access to the plaintext password.

Given the number of websites and forums that have had their databases leaked/hacked, this seems like a bit of a security flaw to me.

I'd be more concerned about that emails between different networks are pretty much all sent unencrypted, and in the U.S., all of the points in between are pretty much required by their federal government to record everything and send the data around to tons of 3rd parties. It's also not good that the forum sends the plaintext password to Side Effects in the first place, since it should be hashed on the client side, but that's another matter, and fixing that won't really prevent man-in-the-middle attacks.