Page 1 of 1
Sending passwords in registration emails: please stop
Posted: Thu Aug 23, 2007 8:10 am
by moonlightcheese
i know this is probably default behavior in phpBB but it's generally bad practice to send a password in an email unless a user asks for it explicitly and i personally don't appreciate it. it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
Posted: Thu Aug 23, 2007 8:19 am
by jason
...?
The system doesn't store passwords, so it won't send it, even if you ask for it. If you are that paranoid, you always have the ability to change your password.
Also, considering you fully realize it's phpBB that does this, why not go suggest this to them?
Re: Sending passwords in registration emails: please stop
Posted: Thu Aug 23, 2007 8:28 am
by CoderGoblin
My 2 cents...
moonlightcheese wrote:... it's generally bad practice to send a password in an email unless a user asks for it explicitly ...
Says who ?
I have joined a number of forums each with a different usernames/passwords. As such an email sent lets me simply save the email and I can reference it whenever I need. If your mail/machine is compromised or other people have access to your mail you could be in some sort of trouble anyway.
Posted: Thu Aug 23, 2007 8:40 am
by Kieran Huggins
Doesn't a tin foil hat interfere with wifi?
On a serious note, as a forum admin (not this forum) it's worth way more for the average user to have a record of their username and password than to have the kind of security practice you're talking about.
There are too many security variables at play here anyway. http is not a secure protocol, so even logging in (or signing up!) is potentially "open" to packet sniffing. You can do things to protect this kind of data, but then you're likely in a VPN and not on the net, chatting in a forum. My recommendation: don't use a valuable password on the net... at all.
Re: Sending passwords in registration emails: please stop
Posted: Thu Aug 23, 2007 8:50 am
by feyd
moonlightcheese wrote:it's simply not necessary, it's a security risk for the user and it's easily fixable. thanks.
Easily fixable? Have you ever looked at the phpbb source code?

Forward this to the phpBB guys, not us.
Re: Sending passwords in registration emails: please stop
Posted: Thu Aug 23, 2007 9:02 am
by superdezign
moonlightcheese wrote:it's generally bad practice to send a password in an email unless a user asks for it explicitly
Since when? How many websites have you signed up for that didn't give you a confirmation email including your password? Registration should be the last time the website really has access to your plaintext password, so they give it to you in case you forget. The procedures for retrieving lost passwords or resetting forgotten passwords (in order to be secure) should not be simple processes, so they help you to avoid it by giving you a record.
If you don't want it, delete it. If you've got a backdoor on your PC... Then tough luck. Otherwise, you shouldn't be so paranoid.
Posted: Fri Dec 21, 2007 11:59 am
by JAB Creations
Kieran is right, that is why I stick to my 123...err simple passwords on HTTP clientside forms.
