Please fix this very bad practice. Passwords should never be sent in cleartext via e-mail…
Makes me wonder about how account credentials are stored also =\
2 Likes
Your credentials are not stored in cleartext. Thats why mods are unable to recover passwords, but rather it gets reseted into something random
But yeah, it would be better to send some one-time link instead, sending the new pw in cleartext isnt very secure :<
The server should not even know the password, right?
Only its hash value.
1 Like
The assumption of course is that you are immediately going to change the password afterwards, at which point it no longer matters that it’s in the e-mail in plain text. It’s not optimal but it’s not that bad imo. It’s not like OGS accounts contain sensitive information.
1 Like
My lazy ass haven’t changed the password since. In fact, when I need to log in, I search my email inbox to look for the OGS Password Reset email. Also, as a side note, I don’t understand why the alternative password that OGS sends is just plain numbers.. That’s not very secure, no?
The fact that it’s sent in clear text means that the server is storing it as that value and not a hash. So yes, it is being stored in cleartext (at least the password that’s sent as part of the reset process), and hopefully it’s being encrypted. But this still allows someone with access to the encrypted password + key to read the password.
This doesn’t necessarily mean that passwords set by the user are stored this way, but it’s not a good sign.
3 Likes
Correct. And preferably a salted hash.
Never assume what the user will do when it comes to security. Best practice is going to be better than expecting a random end user to recognize what you’re doing is bad and take action on their own. Case in point, CelestialObject’s reply.
2 Likes
cc: @GreenAsJade
Please don’t do that…
I mean, seriously, please go change it xD
Thanks for the heads up! Done 
I don’t know what the server is actually doing, but this is not a valid conclusion - it could easily generate a password, save a hash, send the email, and throw away the cleartext value.
Any kind of access token sent your email is necessarily going to be sent in cleartext, since emailing you a hash of the info wouldn’t be particularly useful.
4 Likes
True, but it’s not necessary. A one-time link that allows the user to set his own new password is also possible and more secure.
However, there is a small benefit to the current approach. It’s less work for some users – they don’t have to generate or store a new password themselves, as long as they don’t care about getting hacked on OGS. Case in point, CelestialObject’s reply.
I don’t think that benefit outweighs the negatives, but I’ll let the jury decide.
_KoBa already told us passwords are not being stored in plaintext. So the server is just sending the generated password in plain text, not storing it that way.
Never assume what the user will do when it comes to security. Best practice is going to be better than expecting a random end user to recognize what you’re doing is bad and take action on their own. Case in point, CelestialObject’s reply.
I’m well aware it’s not best practice to give the user any such responsibility, I just don’t think it’s a big deal. It’s a Go server, not a bank. Something to put on the backlog, but not something I would prioritize if I were the devs.
3 Likes
Don’t join the British Go mailing lists then: you get a monthly reminder email of your (current) password in plaintext!
6 Likes
sounds delicious…
3 Likes
Garlic soup with salted hash! 
5 Likes
A whole new trend in edibles, born on the OGF 
3 Likes