First post, so go easy on me.
We have a had a new member on our forum concerned about the activation email that is sent. It contains both his username and password.
I've done a little digging and this has come up a few times before. If passwords are hashed before stored in the system (MD5 ?), how does the activation email contain the user's password in plain text? Am I to assume the the email is generated by what they have keyed in at the time of registration?
It seems that the practice of emailing passwords (except temporary user requested) is not too acceptable anymore. We have modified our mailer.php file to excluded the string.
Interestingly, as I am a new user to this forum, I just received my activation email. And it contained both my username and password.
-mike
