Sending passwords in registration emails: please stop
Moderator: General Moderators
-
moonlightcheese
- Forum Newbie
- Posts: 5
- Joined: Thu Aug 23, 2007 8:05 am
Sending passwords in registration emails: please stop
i know this is probably default behavior in phpBB but it's generally bad practice to send a password in an email unless a user asks for it explicitly and i personally don't appreciate it. it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
- CoderGoblin
- DevNet Resident
- Posts: 1425
- Joined: Tue Mar 16, 2004 10:03 am
- Location: Aachen, Germany
Re: Sending passwords in registration emails: please stop
My 2 cents...
I have joined a number of forums each with a different usernames/passwords. As such an email sent lets me simply save the email and I can reference it whenever I need. If your mail/machine is compromised or other people have access to your mail you could be in some sort of trouble anyway.
Says who ?moonlightcheese wrote:... it's generally bad practice to send a password in an email unless a user asks for it explicitly ...
I have joined a number of forums each with a different usernames/passwords. As such an email sent lets me simply save the email and I can reference it whenever I need. If your mail/machine is compromised or other people have access to your mail you could be in some sort of trouble anyway.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Doesn't a tin foil hat interfere with wifi?
On a serious note, as a forum admin (not this forum) it's worth way more for the average user to have a record of their username and password than to have the kind of security practice you're talking about.
There are too many security variables at play here anyway. http is not a secure protocol, so even logging in (or signing up!) is potentially "open" to packet sniffing. You can do things to protect this kind of data, but then you're likely in a VPN and not on the net, chatting in a forum. My recommendation: don't use a valuable password on the net... at all.
On a serious note, as a forum admin (not this forum) it's worth way more for the average user to have a record of their username and password than to have the kind of security practice you're talking about.
There are too many security variables at play here anyway. http is not a secure protocol, so even logging in (or signing up!) is potentially "open" to packet sniffing. You can do things to protect this kind of data, but then you're likely in a VPN and not on the net, chatting in a forum. My recommendation: don't use a valuable password on the net... at all.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Re: Sending passwords in registration emails: please stop
Easily fixable? Have you ever looked at the phpbb source code?moonlightcheese wrote:it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Sending passwords in registration emails: please stop
Since when? How many websites have you signed up for that didn't give you a confirmation email including your password? Registration should be the last time the website really has access to your plaintext password, so they give it to you in case you forget. The procedures for retrieving lost passwords or resetting forgotten passwords (in order to be secure) should not be simple processes, so they help you to avoid it by giving you a record.moonlightcheese wrote:it's generally bad practice to send a password in an email unless a user asks for it explicitly
If you don't want it, delete it. If you've got a backdoor on your PC... Then tough luck. Otherwise, you shouldn't be so paranoid.
- JAB Creations
- DevNet Resident
- Posts: 2341
- Joined: Thu Jan 13, 2005 6:44 pm
- Location: Sarasota Florida
- Contact: