Password in Welcome Email!
- Digital_Dissident
- Posts: 25
- Joined: Tue 02 Mar 2010, 10:49
- Location: U.S.- E. Coast
Password in Welcome Email!
I was dismayed to find the password I had just registered with in the welcome email I received upon registration to this site.
Only a few out of the many different sites I have registered with have included the password in the welcome or confirmation email.
The security implications should be obvious.
Only a few out of the many different sites I have registered with have included the password in the welcome or confirmation email.
The security implications should be obvious.
Re: Password in Welcome Email!
A large number of furums do send the passwords in plain text in the welcome mail. It's not so much a function of the particular site, but more of the application that is in use for the forum.Digital_Dissident wrote:I was dismayed to find the password I had just registered with in the welcome email I received upon registration to this site.
The security implications should be obvious.
Amazes me that the very large user base here hasn't revolted because of the obvious security implications...or could it be that you're dancing to the tune of a different drummer.
Thom
-
- Posts: 23
- Joined: Sun 24 Aug 2008, 15:58
- Location: Midwesterner running Slacko Puppy 5.3
- Lobster
- Official Crustacean
- Posts: 15522
- Joined: Wed 04 May 2005, 06:06
- Location: Paradox Realm
- Contact:
Many thanks snowshaker,
Makes sense.
I think that is what most of us do
and (believe it or not) we probably don't change our password every month . . .
A lot of services work this way
If anyone still has concerns please write to John Murga, Flash or Pizzasgood.
I hope the original poster was sincere?
It just seems we have a crop of posts claiming all kinds of 'security' problems' that on investigation are not so serious.
As a special service to the tin hats I would suggest this is a distraction
to the real issues and areas of vulnerability . . .
Puppy Linux
with added geekiness
Makes sense.
I think that is what most of us do
and (believe it or not) we probably don't change our password every month . . .
A lot of services work this way
If anyone still has concerns please write to John Murga, Flash or Pizzasgood.
I hope the original poster was sincere?
It just seems we have a crop of posts claiming all kinds of 'security' problems' that on investigation are not so serious.
As a special service to the tin hats I would suggest this is a distraction
to the real issues and areas of vulnerability . . .
Puppy Linux
with added geekiness
- Digital_Dissident
- Posts: 25
- Joined: Tue 02 Mar 2010, 10:49
- Location: U.S.- E. Coast
Sorry for Coming Across The Wrong Way
Hello again,
Let me first say that I'm sorry for just jumping-in this way that could have come across confrontational or troll-like. I had browsed the forum and read a number of posts for some time before finally registering now and was actually almost ready to post regarding dial-up and internal Winmodems when I got distracted and diverted--first by this password issue and then by a number of other things.
I realize that this practice of including the password in the registration email is not unique to this site and obviously does not pose the same risks as it would for a commerce site or the like, where sensitive information is exchanged.
Nonetheless, it does pose some concerns.
Someone with malicious intent toward a registered forum user could wreak quite a bit of mischief through impersonating him or her.
Another concern is that there will inevitably be some people who will register with the same password that they already use for one or more banking, commerce or other sites where sensitive data is involved.
Assuming that's not a problem, what you suggest could very well be a satisfactory solution in many, if not most, cases-- assuming one receives as well as opens the email right away and sees the password in it.
But even then, a case where the same password was already protecting sensitive data at other sites could still pose a problem.
In any event, as I had noted, I have found it to be the exception rather than the rule for a site to email the password upon registration. I was therefore sincerely taken aback and wanted to see what others felt about this. This seemed like an appropriate section of the forum for such a discussion and I appreciate that people responded.
I hope people won't mind my asking about something else, while I'm at it.
It seems that by default, one's email address is displayed at the bottom of each post one makes. I only realized and changed this after posting. This is also different from the other forums I have experience with, where by default email addresses are not displayed and I would like to hear what others feel about this.
Thanks for your patience and indulgence and for all that so many of you do not only for Puppy but for the larger GNU/Linux and open source community/movement in general. (at least by extension)
Let me first say that I'm sorry for just jumping-in this way that could have come across confrontational or troll-like. I had browsed the forum and read a number of posts for some time before finally registering now and was actually almost ready to post regarding dial-up and internal Winmodems when I got distracted and diverted--first by this password issue and then by a number of other things.
I realize that this practice of including the password in the registration email is not unique to this site and obviously does not pose the same risks as it would for a commerce site or the like, where sensitive information is exchanged.
Nonetheless, it does pose some concerns.
Someone with malicious intent toward a registered forum user could wreak quite a bit of mischief through impersonating him or her.
Another concern is that there will inevitably be some people who will register with the same password that they already use for one or more banking, commerce or other sites where sensitive data is involved.
Well, first of all, are you sure that the new one isn't emailed as well whenever one changes their password?snowshaker wrote:Your password comes in the mail, and you change it right away.
Assuming that's not a problem, what you suggest could very well be a satisfactory solution in many, if not most, cases-- assuming one receives as well as opens the email right away and sees the password in it.
But even then, a case where the same password was already protecting sensitive data at other sites could still pose a problem.
In any event, as I had noted, I have found it to be the exception rather than the rule for a site to email the password upon registration. I was therefore sincerely taken aback and wanted to see what others felt about this. This seemed like an appropriate section of the forum for such a discussion and I appreciate that people responded.
I hope people won't mind my asking about something else, while I'm at it.
It seems that by default, one's email address is displayed at the bottom of each post one makes. I only realized and changed this after posting. This is also different from the other forums I have experience with, where by default email addresses are not displayed and I would like to hear what others feel about this.
Thanks for your patience and indulgence and for all that so many of you do not only for Puppy but for the larger GNU/Linux and open source community/movement in general. (at least by extension)
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
FWIW, we aren't using SSL, so every time you login the password is sent over the network in plaintext. (Same goes for any other forum that doesn't use SSL to login).
I do agree that we probably shouldn't send those emails, and that the email should be not visible by default (though the first thing anybody should do upon registering for a forum is to enter their control panel and set their options).
I do agree that we probably shouldn't send those emails, and that the email should be not visible by default (though the first thing anybody should do upon registering for a forum is to enter their control panel and set their options).
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]