Did the Wiki really just mail me my password?!

(Sorry if this is the wrong category)

I lost my password to the OpenWRT wiki so i went to reset it but instead i got THIS:

Hi HACKER3000!

Here is your userdata for OpenWrt Wiki at https://openwrt.org/

Login : hacker-3000
Password : [REDACTED]

This mail was generated by DokuWiki at

What? :face_with_raised_eyebrow:

Why aren't the passwords hashed? In case of an intrusion, getting plaintext passwords stolen by hackers would be an absolute nighmare for everyone involved. I have set up a dokuwiki instance as well and it hashes the passwords because bcrypt is the default hash algo.

Is there a good reason for this or was it just overlooked?

1 Like

The password on the server are bcrypt hashed, also:

$conf['passcrypt']   = 'bcrypt';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
$conf['autopasswd']  = 1;                //autogenerate passwords and email them to user

The system likely autogenerated a password for you (I've seen you authenticated via Github at least one) and sent it. It is not stored in plaintext on the server.


Seems like there is no function to simply change a password from old to new.

If were concerned that the plaintext password I received could be sitting on a mail server somewhere, and wanted to immediately change it, I would be stuck in the plaintext email loop.

oh good.
sorry if i overreacted a bit. this reminded me too much of how the MySpace93 shitshow started so i got a bit spooked

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.