They can’t send it if they haven’t stored it, that’s the proof. Whether temporary or not it’s a weakness and attack vector for obtaining unhashed passwords. And if they stored it, it should be immediately hashed.
They can still send it while the value is in memory.
But it’s unlikely that emails are sent synchronously. At which point, it has to be added to a job queue somewhere which might not be in memory.
There is also the communication with that job queue, and logging along the way, and any email logging.
Email isn’t secure, either.
So, it bad practice regardless.
Thankfully larian did address this, and fixed the issue
lwuy9v5@lemmy.world 1 year ago
what a stupid comment
Miclux@lemmings.world 1 year ago
Show me where the proof is that they STORE it plain text. This is just a screen of a mail after creating an account.
Cabrio@lemmy.world 1 year ago
They can’t send it if they haven’t stored it, that’s the proof. Whether temporary or not it’s a weakness and attack vector for obtaining unhashed passwords. And if they stored it, it should be immediately hashed.
rikudou@lemmings.world 1 year ago
That… is not how it works. It is usually hashed and at the same time an email is sent. Meaning it’s not stored plaintext in any storage.
towerful@programming.dev 1 year ago
They can still send it while the value is in memory.
But it’s unlikely that emails are sent synchronously. At which point, it has to be added to a job queue somewhere which might not be in memory.
There is also the communication with that job queue, and logging along the way, and any email logging.
Email isn’t secure, either.
So, it bad practice regardless.
Thankfully larian did address this, and fixed the issue
Miclux@lemmings.world 1 year ago
It’s so sad that you spread misinformation based on your inadequate knowledge.
vox@sopuli.xyz 1 year ago
they can send it without storing. In fact a lot of websites (mostly small forums) send your password to your email before storing it.