I lost my password to the OpenWRT wiki so i went to reset it but instead i got THIS:
Hi HACKER3000!
Here is your userdata for OpenWrt Wiki at https://openwrt.org/
Login : hacker-3000
Password : [REDACTED]
This mail was generated by DokuWiki at
https://openwrt.org/
What?
Why aren't the passwords hashed? In case of an intrusion, getting plaintext passwords stolen by hackers would be an absolute nighmare for everyone involved. I have set up a dokuwiki instance as well and it hashes the passwords because bcrypt is the default hash algo.
Is there a good reason for this or was it just overlooked?
The password on the server are bcrypt hashed, also:
$conf['passcrypt'] = 'bcrypt'; //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
$conf['autopasswd'] = 1; //autogenerate passwords and email them to user
The system likely autogenerated a password for you (I've seen you authenticated via Github at least one) and sent it. It is not stored in plaintext on the server.
Seems like there is no function to simply change a password from old to new.
If were concerned that the plaintext password I received could be sitting on a mail server somewhere, and wanted to immediately change it, I would be stuck in the plaintext email loop.
