Apr 6th, '08, 21:03
Posts: 2
Joined: Apr 6th, '08, 20:29

Please don't send username/password in confirmation email.

by pirripb » Apr 6th, '08, 21:03

Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.

User avatar
Apr 6th, '08, 21:55
Mod/Admin
Posts: 21654
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

Re: Please don't send username/password in confirmation emai

by Chip » Apr 6th, '08, 21:55

pirripb wrote:Sending our password in the forum sign up confirmation is a very bad idea. Email travels un-encrypted and bounces off of many random servers until it finds its destination. Anyone along the way who happens to be listening could potentially grab the password.
As true as your comment may be, it is soooo commonly done. I mean it is the norm, everyone does it when you sign for virtually anything.

One solution is to sign up with a secondary password...then edit it later which would not be emailed.

Apr 6th, '08, 22:31
Posts: 2
Joined: Apr 6th, '08, 20:29

by pirripb » Apr 6th, '08, 22:31

Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.

User avatar
Apr 6th, '08, 22:39
Posts: 1591
Joined: Jan 28th, '07, 02:24
Location: Fort Worth, TX

by Space Samurai » Apr 6th, '08, 22:39

I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.

User avatar
Apr 6th, '08, 22:40
Mod/Admin
Posts: 21654
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

by Chip » Apr 6th, '08, 22:40

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.

I'm not so sure it's common either. At least, I can't ever remember seeing it done before.
I see it done constantly...register on most sites who send confirmation emails...it shows your user name and password.

User avatar
Apr 6th, '08, 22:41
Mod/Admin
Posts: 21654
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

by Chip » Apr 6th, '08, 22:41

Space Samurai wrote:I totally know what you mean. This one time, someone got my password, then they logged on and started talking about tea that I would never drink, lavendar and chamomile and what not. It was horrible. To this day people still think I shopt at Republic of Tea. Its so humiliating.
:shock:

I will see if we can set the password to automatic default using the user name as temp password...and instructing new member to change it promptly.

It is a good point, no argument there at all.

User avatar
Apr 7th, '08, 00:58
Posts: 1636
Joined: Jan 11th, '07, 16:13
Scrolling: scrolling
Location: SF Bay Area, CA

by scruffmcgruff » Apr 7th, '08, 00:58

pirripb wrote:Well, that's good practice, but it shouldn't be necessary. Besides, what's to say that they won't email your password whenever you change it.

Emailing a password is simply something you should never do; that's all there is to it.
I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.
pirripb wrote:I'm not so sure it's common either. At least, I can't ever remember seeing it done before.
I actually have seen this quite a few times. Still, that doesn't make it a good practice, just a common one.

User avatar
Apr 7th, '08, 01:05
Posts: 1591
Joined: Jan 28th, '07, 02:24
Location: Fort Worth, TX

by Space Samurai » Apr 7th, '08, 01:05

scruffmcgruff wrote: I agree; it really shouldn't be necessary. As to Space's comment, sure, nobody really cares about what is said on this forum, but someone could use that password on other more important accounts (bank, paypal, etc.), assuming the person uses one password (which many of us do), and do some serious damage. Of course, it's a longshot, but it happens enough to be a legitimate concern, IMO.
Fair enough.

User avatar
Apr 7th, '08, 01:19
Mod/Admin
Posts: 21654
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

by Chip » Apr 7th, '08, 01:19

Ilya reads this thread regularly...I would like his take on this. If it can be changed easily, I would be in favor of setting a default password instructing the new member to change it the first time he visits TeaChat.

User avatar
Apr 7th, '08, 08:57
Posts: 87
Joined: Sep 14th, '07, 16:56
Location: Orlando, FL

by forkyfork » Apr 7th, '08, 08:57

While I do see passwords sent in plain text a lot, that doesn't mean it's the best practice.

Encryption and what-not aside, if I open the e-mail and my password is in plain view, someone looking over my shoulder could see.

I'm okay with my password being sent if I personally request it. But when I register, it is very annoying. I know what my password was, I just typed it!

User avatar
Apr 7th, '08, 11:11
Posts: 265
Joined: Feb 23rd, '08, 12:30
Contact: jazz88

by jazz88 » Apr 7th, '08, 11:11

I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.

User avatar
Apr 7th, '08, 11:49
Posts: 1636
Joined: Jan 11th, '07, 16:13
Scrolling: scrolling
Location: SF Bay Area, CA

by scruffmcgruff » Apr 7th, '08, 11:49

jazz88 wrote:I wouldn't be concerned because: a) there is no personal information b) no $$ involved. Just change your password – end of story.
Try reading the rest of the thread before you respond to the original poster; these issues have already been addressed.

User avatar
Apr 7th, '08, 17:46
Posts: 265
Joined: Feb 23rd, '08, 12:30
Contact: jazz88

by jazz88 » Apr 7th, '08, 17:46

@scruffmcgruff Not that I particularly care but your tone is rather rude.

User avatar
Apr 7th, '08, 20:23
Posts: 1636
Joined: Jan 11th, '07, 16:13
Scrolling: scrolling
Location: SF Bay Area, CA

by scruffmcgruff » Apr 7th, '08, 20:23

Indeed, as was yours. You were dismissive of a reasonable concern, so I was dismissive of your comment.

User avatar
Apr 7th, '08, 21:10
Mod/Admin
Posts: 21654
Joined: Apr 22nd, '06, 20:52
Scrolling: scrolling
Location: Back in the TeaCave atop Mt. Fuji

by Chip » Apr 7th, '08, 21:10

:shock: However...there is nothing worth getting in a huff about.

So...let's be friends. :D

+ Post Reply