so there's a little confusion here.Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue
little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.
2. Email out a password reset link, and ONLY reset the password after that link is accessed (thereby validating that the reset request came from the owner of the email/account).
it is true, but please understand it is a bit tricky to implement on the old code base of opensubtitles.org
To Opensubtitles, you should really consider improving your password reset also. The password is sent unencrypted in plain text in the email. You should really be directing the users to a password reset on the website. All passwords that has been sent out should be considered busted, and changed. The email even says "You can change your password after you log in." not, "you should".
If any password is sent over email, it must immediately be changed. It shouldn't even be an option to continue using that password. It must be a requirement to change that password when you log in the first time. If you insist in actually sending passwords in plaintext with unencrypted emails.little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.
we don't think it's ok, we fixed the issue for the future.
GO hire a fucking security guy and get your shit in order, It's 2022 and still you guys think this is OK ?
we don't insist on doing like this... we realize the system is deprecated, we are building an entire redesign from scratch to solve all the issues.If any password is sent over email, it must immediately be changed. It shouldn't even be an option to continue using that password. It must be a requirement to change that password when you log in the first time. If you insist in actually sending passwords in plaintext with unencrypted emails.little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.
Well... in the first place, there should be NO HACKING EXPENSESwe don't think it's ok, we fixed the issue for the future.
GO hire a fucking security guy and get your shit in order, It's 2022 and still you guys think this is OK ?
with all the hack expenses we are working for free for quiet a few months now, still offering a free service to 98% of users, who mostly use ad-blockers. security guys make more money than us, please try to understand that.
Users browsing this forum: YaCy [Bot] and 120 guests