Meta-PokéBase Q&A
0 votes
563 views

The registration email you get after you sign up includes the password you entered in plain text. This is a bad security practice due to the ease of snooping and should never, ever be done. So please see to it that it gets removed from the registration email.

As an aside, it also makes me wonder whether or not the database system behind this site is using hashed and salted passwords. Database hacks and subsequent exposure of email addresses and passwords stored in plain text are quite common nowadays.

by
Nobody continue with the commenting on this, please. Arguing won't solve anything.

1 Answer

1 vote

First of all, I want to say that asmodai is correct in most of his comments. (Sorry for any hostility you received.) Even if this place is "just a Pokemon site", security is still important. There are many things that could go wrong if someone's account is hacked. Not just spam on this site, but potential impersonation of members of which the possibilities are endless (most simple example: someone impersonates me and asks people to donate to the site).

Onto the main topic. Passwords on this site are hashed and salted in the database. There is no way for me to know anyone's password. The software we use is an open source application called Question2Answer so you can go and look at the code to verify that, if you like.

However, the password is included in the email when you register. This is only possible at that moment because you just typed it into the registration form. After that there is no way to know the password so it wouldn't be sent out.

But you are correct that since emails are not encrypted, it is a small issue that they are sent at all. I will go ahead and remove the password from the registration emails.

by
No worries, I can take some heat and I know the people supporting your site are passionate. So no harm done on my account. I enjoy your site as well, which is why I reached out to you.

Awesome news about the hash and salts. I figured, based on the rest of the site design, that it was most likely the case, but it's comforting to know nonetheless. And thanks for the password email change. Cheers mate!
No problem. And I've just updated the registration emails already, to remove the password.