Please don't send username/password in confirmation email.

We're always open to a little constructive criticism.

Please don't send username/password in confirmation email.

Postby pirripb » Apr 6th, '08, 21:03

Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.

pirripb
Posts: 2
Joined: Apr 06, '08

Re: Please don't send username/password in confirmation emai

Postby Chip » Apr 6th, '08, 21:55

pirripb wrote:Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.


As true as your comment may be, it is soooo commonly done. I mean it is the norm, everyone does it when you sign for virtually anything.

One solution is to sign up with a secondary password...then edit it later which would not be emailed.

User avatar Chip
Mod/Admin
Posts: 22818
Joined: Apr 22, '06
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Postby pirripb » Apr 6th, '08, 22:31

Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.

pirripb
Posts: 2
Joined: Apr 06, '08

Postby Space Samurai » Apr 6th, '08, 22:39

I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.

User avatar Space Samurai
Posts: 1634
Joined: Jan 28, '07
Location: Fort Worth, TX
Contact Space Samurai:

Postby Chip » Apr 6th, '08, 22:40

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.


I see it done constantly...register on most sites who send confirmation emails...it shows your user name and password.

User avatar Chip
Mod/Admin
Posts: 22818
Joined: Apr 22, '06
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Postby Chip » Apr 6th, '08, 22:41

Space Samurai wrote:I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.
:shock:

I will see if we can set the password to automatic default using the user name as temp password...and instructing new member to change it promptly.

It is a good point, no argument there at all.

User avatar Chip
Mod/Admin
Posts: 22818
Joined: Apr 22, '06
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Postby scruffmcgruff » Apr 7th, '08, 00:58

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.


I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.

pirripb wrote:I'm not so sure it's common either. At least, I can't ever remember seeing it done before.


I actually have seen this quite a few times. Still, that doesn't make it a good practice, just a common one.

User avatar scruffmcgruff
Posts: 1665
Joined: Jan 11, '07
Scrolling: scrolling
Location: SF Bay Area, CA
Contact scruffmcgruff:

Postby Space Samurai » Apr 7th, '08, 01:05

scruffmcgruff wrote:I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.


Fair enough.

User avatar Space Samurai
Posts: 1634
Joined: Jan 28, '07
Location: Fort Worth, TX
Contact Space Samurai:

Postby Chip » Apr 7th, '08, 01:19

Ilya reads this thread regularly...I would like his take on this. If it can be changed easily, I would be in favor of setting a default password instructing the new member to change it the first time he visits TeaChat.

User avatar Chip
Mod/Admin
Posts: 22818
Joined: Apr 22, '06
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Postby forkyfork » Apr 7th, '08, 08:57

While I do see passwords sent in plain text a lot, that doesn't mean it's the best practice.

Encryption and what-not aside, if I open the e-mail and my password is in plain view, someone looking over my shoulder could see.

I'm okay with my password being sent if I personally request it. But when I register, it is very annoying. I know what my password was, I just typed it!

User avatar forkyfork
Posts: 95
Joined: Sep 14, '07
Location: Orlando, FL

Postby jazz88 » Apr 7th, '08, 11:11

I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.

User avatar jazz88
Posts: 275
Joined: Feb 23, '08
Contact jazz88:

Postby scruffmcgruff » Apr 7th, '08, 11:49

jazz88 wrote:I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.


Try reading the rest of the thread before you respond to the original poster; these issues have already been addressed.

User avatar scruffmcgruff
Posts: 1665
Joined: Jan 11, '07
Scrolling: scrolling
Location: SF Bay Area, CA
Contact scruffmcgruff:

Postby jazz88 » Apr 7th, '08, 17:46

@scruffmcgruff Not that I particularly care but your tone is rather rude.

User avatar jazz88
Posts: 275
Joined: Feb 23, '08
Contact jazz88:

Postby scruffmcgruff » Apr 7th, '08, 20:23

Indeed, as was yours. You were dismissive of a reasonable concern, so I was dismissive of your comment.

User avatar scruffmcgruff
Posts: 1665
Joined: Jan 11, '07
Scrolling: scrolling
Location: SF Bay Area, CA
Contact scruffmcgruff:

Postby Chip » Apr 7th, '08, 21:10

:shock: However...there is nothing worth getting in a huff about.

So...let's be friends. :D

User avatar Chip
Mod/Admin
Posts: 22818
Joined: Apr 22, '06
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji


Today's Poll



Community

In total there is 1 user online :: 0 registered, 0 hidden and 1 guest