This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.
This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.
The number of people accepting email for some magic thing without in-between mechanisms is ridiculous. If it's sent in an email you should 100% consider it to be stored in plaintext in multiple places. There is incredible amount of machinery between your
mail()
call and the end user reading that email, on both the sending and receiving end. For example, my spam filter (rspamd) will likely store a copy of it for a while, and that's not unique to it.What's in the database is not really relevant. Only the worst instance of storage counts.