As I am the web master of our intranet TWikiWeb, receiving an email about every user registering. Now, that's a great thing, but since I had to enable the password/confirm boxes (I didn't get around to use NIS on my apache), the email that BCC'ies to the web master contains the password of the user in plain text. I consider this a security hole; I don't want to know about those passwords, and I don't want anybody suspecting I had access to those passwords :). I suggest to take out the BCC line in the template/registernotify template for public distributions of TWiki.

-- StefanRenz - 31 Jul 2000

Or leave it the way it is but add a new flag in wikicfg.pm to optionally hide the password in the confirmation email, i.e. to show

	* Password: ****** 

instead of the plain text password. That way it is up to the web master to decide if the password is shown or not.

-- PeterThoeny - 31 Jul 2000

Smaller security hole: password
ELEVENSTARS, which remains properly printed even after such hiding:
*********** - still 11 stars

-- IvAn? - 02 Aug 2000

I just edited 'bin/register' at about line 126 to read:

	 for( $x = 0; $x < $formLen; $x++ ) {
		  if( $formDataName[$x] ne "Confirm" && $formDataName[$x] ne "Password") {
				$before .= "	* $formDataName[$x]\: $formDataValue[$x]\n";
		  }
	 }

I just added the ne "Password" part. This remove the password from the emails. The users don't need to see their password either.

-- WayneScott - 07 Sep 2000

I made this configurable. Flag $doHidePasswdInRegistration in wikicfg.pm hides the password, is "1" by default.

Commited to TWikiAlphaRelease.

-- PeterThoeny - 03 Nov 2000

TopicClassification:

FeatureDone