Please don't send username/password in confirmation email.


We're always open to a little constructive criticism.

Please don't send username/password in confirmation email.

Postby pirripb » Apr 6th, '08, 21:03

Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.
pirripb
 
Posts: 2
Joined: Apr 6th, '0

Re: Please don't send username/password in confirmation emai

Postby Chip » Apr 6th, '08, 21:55

pirripb wrote:Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.


As true as your comment may be, it is soooo commonly done. I mean it is the norm, everyone does it when you sign for virtually anything.

One solution is to sign up with a secondary password...then edit it later which would not be emailed.
User avatar
Chip
Mod/Admin
 
Posts: 22135
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Postby pirripb » Apr 6th, '08, 22:31

Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.
pirripb
 
Posts: 2
Joined: Apr 6th, '0

Postby Space Samurai » Apr 6th, '08, 22:39

I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.
User avatar
Space Samurai
 
Posts: 1634
Joined: Jan 28th, '
Location: Fort Worth, TX

Postby Chip » Apr 6th, '08, 22:40

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.


I see it done constantly...register on most sites who send confirmation emails...it shows your user name and password.
User avatar
Chip
Mod/Admin
 
Posts: 22135
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Postby Chip » Apr 6th, '08, 22:41

Space Samurai wrote:I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.
:shock:

I will see if we can set the password to automatic default using the user name as temp password...and instructing new member to change it promptly.

It is a good point, no argument there at all.
User avatar
Chip
Mod/Admin
 
Posts: 22135
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Postby scruffmcgruff » Apr 7th, '08, 00:58

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.


I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.

pirripb wrote:I'm not so sure it's common either. At least, I can't ever remember seeing it done before.


I actually have seen this quite a few times. Still, that doesn't make it a good practice, just a common one.
User avatar
scruffmcgruff
 
Posts: 1665
Joined: Jan 11th, '
Location: SF Bay Area, CA

Postby Space Samurai » Apr 7th, '08, 01:05

scruffmcgruff wrote:I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.


Fair enough.
User avatar
Space Samurai
 
Posts: 1634
Joined: Jan 28th, '
Location: Fort Worth, TX

Postby Chip » Apr 7th, '08, 01:19

Ilya reads this thread regularly...I would like his take on this. If it can be changed easily, I would be in favor of setting a default password instructing the new member to change it the first time he visits TeaChat.
User avatar
Chip
Mod/Admin
 
Posts: 22135
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Postby forkyfork » Apr 7th, '08, 08:57

While I do see passwords sent in plain text a lot, that doesn't mean it's the best practice.

Encryption and what-not aside, if I open the e-mail and my password is in plain view, someone looking over my shoulder could see.

I'm okay with my password being sent if I personally request it. But when I register, it is very annoying. I know what my password was, I just typed it!
User avatar
forkyfork
 
Posts: 95
Joined: Sep 14th, '
Location: Orlando, FL

Postby jazz88 » Apr 7th, '08, 11:11

I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.
User avatar
jazz88
 
Posts: 275
Joined: Feb 23rd, '

Postby scruffmcgruff » Apr 7th, '08, 11:49

jazz88 wrote:I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.


Try reading the rest of the thread before you respond to the original poster; these issues have already been addressed.
User avatar
scruffmcgruff
 
Posts: 1665
Joined: Jan 11th, '
Location: SF Bay Area, CA

Postby jazz88 » Apr 7th, '08, 17:46

@scruffmcgruff Not that I particularly care but your tone is rather rude.
User avatar
jazz88
 
Posts: 275
Joined: Feb 23rd, '

Postby scruffmcgruff » Apr 7th, '08, 20:23

Indeed, as was yours. You were dismissive of a reasonable concern, so I was dismissive of your comment.
User avatar
scruffmcgruff
 
Posts: 1665
Joined: Jan 11th, '
Location: SF Bay Area, CA

Postby Chip » Apr 7th, '08, 21:10

:shock: However...there is nothing worth getting in a huff about.

So...let's be friends. :D
User avatar
Chip
Mod/Admin
 
Posts: 22135
Joined: Apr 22nd, '
Location: Back in the TeaCave atop Mt. Fuji

Next

Instant Messenger

Permissions
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot post attachments
Navigation