Sending passwords in registration emails: please stop

We know you have an opinion on how things should be run around here. These are suggestions for the forums, and the website.This forum is not a place to ask for suggestions to your own coding (or otherwise) problems.

Moderator: General Moderators

Post Reply
moonlightcheese
Forum Newbie
Posts: 5
Joined: Thu Aug 23, 2007 8:05 am

Sending passwords in registration emails: please stop

Post by moonlightcheese »

i know this is probably default behavior in phpBB but it's generally bad practice to send a password in an email unless a user asks for it explicitly and i personally don't appreciate it. it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

...?

The system doesn't store passwords, so it won't send it, even if you ask for it. If you are that paranoid, you always have the ability to change your password.

Also, considering you fully realize it's phpBB that does this, why not go suggest this to them?
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Re: Sending passwords in registration emails: please stop

Post by CoderGoblin »

My 2 cents...
moonlightcheese wrote:... it's generally bad practice to send a password in an email unless a user asks for it explicitly ...
Says who ?

I have joined a number of forums each with a different usernames/passwords. As such an email sent lets me simply save the email and I can reference it whenever I need. If your mail/machine is compromised or other people have access to your mail you could be in some sort of trouble anyway.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Doesn't a tin foil hat interfere with wifi?

On a serious note, as a forum admin (not this forum) it's worth way more for the average user to have a record of their username and password than to have the kind of security practice you're talking about.

There are too many security variables at play here anyway. http is not a secure protocol, so even logging in (or signing up!) is potentially "open" to packet sniffing. You can do things to protect this kind of data, but then you're likely in a VPN and not on the net, chatting in a forum. My recommendation: don't use a valuable password on the net... at all.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: Sending passwords in registration emails: please stop

Post by feyd »

moonlightcheese wrote:it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
Easily fixable? Have you ever looked at the phpbb source code? :banghead:

;) Forward this to the phpBB guys, not us.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Sending passwords in registration emails: please stop

Post by superdezign »

moonlightcheese wrote:it's generally bad practice to send a password in an email unless a user asks for it explicitly
Since when? How many websites have you signed up for that didn't give you a confirmation email including your password? Registration should be the last time the website really has access to your plaintext password, so they give it to you in case you forget. The procedures for retrieving lost passwords or resetting forgotten passwords (in order to be secure) should not be simple processes, so they help you to avoid it by giving you a record.

If you don't want it, delete it. If you've got a backdoor on your PC... Then tough luck. Otherwise, you shouldn't be so paranoid.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

Kieran is right, that is why I stick to my 123...err simple passwords on HTTP clientside forms. 8)
Post Reply