🌍
English
Announcement
- [2024-12-20] Piwigo 15.3.0 : same as 15.2.0 but compatible with PHP 7
- [2024-12-19] Piwigo 15.2.0 : better user activation and many fixes
- [2024-11-11] Piwigo 15.1.0 : small fixes and what's new popup
- [2024-10-22] Piwigo 15
- [2024-09-23] Piwigo 15.0.0RC1, almost there
#1 2014-08-06 23:49:13
- joeuser
- Member
- 2014-08-06
- 7
Disabling password being sent in registration email
Hello/Hi/Greetings,
Is there a way to disable the sending of clear text passwords in the email when users register??? This is a very big security flaw!
Piwigo version: 2.6
PHP version: 5
MySQL version: 5.5
Piwigo URL: http://
Offline
#2 2014-08-06 23:59:47
- joeuser
- Member
- 2014-08-06
- 7
Re: Disabling password being sent in registration email
Never mind. I found a solution by editing include/functions_user.inc.php and commenting out the line:
get_l10n_args('Password: %s', stripslashes($password)),
#get_l10n_args('Password: %s', stripslashes($password)),
Offline
#3 2014-09-04 15:14:23
- Ruhe
- Guest
Re: Disabling password being sent in registration email
Thanks for sharing.
You're right, it's a security flaw and should be disabled by default.
#4 2014-09-04 20:54:54
- nicolas
- Former Piwigo Team
- 2004-12-30
- 1232
Re: Disabling password being sent in registration email
People can uncheck the checkbox to not receive informations by mail. What do you want exactly ?
Offline
#5 2014-09-06 02:52:06
- joeuser
- Member
- 2014-08-06
- 7
Re: Disabling password being sent in registration email
I still want the users to receive the emails, just don't want their passwords included.
If they forget their passwords, they can always reset them.
Offline
#6 2014-09-06 18:33:44
- plg
- Piwigo Team
- Nantes, France, Europe
- 2002-04-05
- 13885
Re: Disabling password being sent in registration email
When you create a user from [Administration > Users > Manage], it won't be coherent if you don't send the password. Trust me, your user won't understand how to log in...
When the user registers herself, she doesn't have to check the option "send an email with my connection settings".
I can't let you say it's a "security flaw". Users can change their password once received. It's more a "user experience" feature in my opinion.
Before we implement this checkbox, how did I send the password to my users? in clear text in a manual email. So for me, it's better to let Piwigo do the work!
Offline
#7 2014-09-06 19:15:32
- nicolas
- Former Piwigo Team
- 2004-12-30
- 1232
Re: Disabling password being sent in registration email
plg wrote:
When you create a user from [Administration > Users > Manage], it won't be coherent if you don't send the password. Trust me, your user won't understand how to log in...
When the user registers herself, she doesn't have to check the option "send an email with my connection settings".
I can't let you say it's a "security flaw". Users can change their password once received. It's more a "user experience" feature in my opinion.
Before we implement this checkbox, how did I send the password to my users? in clear text in a manual email. So for me, it's better to let Piwigo do the work!
I agree Joe, it's a security flaw but as Pierrick said when you manage a gallery with many acces it becomes rapidly boring to give password to people in another way. Joe, how did you proceed ? Have you ideas ?
A better (but not perfect) solution could be to give a one time acess with a link to a page for changing password. The link can only be used until the password is changed and for example until 24 hours.
p.s: Perhaps the checkbox can be uncheck by default in register page.
Last edited by nicolas (2014-09-06 19:17:38)
Offline
#8 2014-11-19 06:23:07
- lemorange
- Guest
Re: Disabling password being sent in registration email
It is a security flaw because user passwords are clearly readable as plain text in the sent mails, as long as someone has access to the smtp account used for sending out registration mails.