this post was submitted on 30 Oct 2025
1 points (60.0% liked)

Cybersecurity

8612 readers
93 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social
1
VintageStory's wiki emails you a temporary password when requesting a password reset, is this insecure? (lemmy.dbzer0.com)
submitted 2 weeks ago by moosetwin@lemmy.dbzer0.com to c/cybersecurity@sh.itjust.works
4 comments fedilink hide all child comments
 

Note: The password in this image is no longer valid, don't kill me

This is just used by their wiki, the side with the payment stuff uses a different system (and a separate login)

you are viewing a single comment's thread
view the rest of the comments
[–] vf2000@lemmy.zip 2 points 2 weeks ago

No, it is not "insecure." It aligns with OWASP guidance: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

When would it be problematic? It would be problematic if they sent your actual password in cleartext as part of the "reset." This would show that they can access your password in plain text within their database, which is the worst way of storing passwords on servers. (Dedicated password hashing algorithms exist to securely store passwords.) What they provided you is a one-time password.