Forum Account password in plaintext mail

Have something to say about forums.debian.net itself?

Forum Account password in plaintext mail

Postby scorp84 » 2016-04-21 14:18

Hi,

upon registration you send the password I have chosen for my account in plaintext per mail to my email adress. This is not secure. I can not understand that websites still do this these days.
scorp84
 
Posts: 3
Joined: 2016-04-21 14:11

Re: Forum Account password in plaintext mail

Postby geekosupremo » 2016-04-21 16:14

For what it's worth, none of this site is "secured" so a plain text password isn't the worst.

It's always possible to change your password once you're logged in if you don't want it to be the same as the emailed password. For myself I use a password manager and have it generate a new password every so often.
geekosupremo
 
Posts: 154
Joined: 2014-10-30 23:17

Re: Forum Account password in plaintext mail

Postby GarryRicketson » 2016-04-21 16:28

If that is a concern, then you can all ways change the password again, in the
<user control panel> >>Profile> Edit account settings


How ever :
-- to my email address. This is not secure.


If your e-mail service or address is not secure, perhaps you should look for a more secure service. ? There is nothing we can do about that on our end.


I can not understand that websites still do this these days.

Actually that is pretty standard for a forum, some generate a random password, and send that by e-mail, and then the same you can change it after you log in.
As far as "websites" go, most do not have a registration, login option, not to the website it's self, but it is normal procedure to need to register, get a password, and login , to use any forum, or comment area that might be part of that website.
Agreed , it would not be wise to use a insecure e-mail service, to register and receive a activation e-mail. But most people all ready know that, and know to simply change the password that was sent by e-mail. It is also a good idea to change your password every so often, if you are that worried about security.
User avatar
GarryRicketson
 
Posts: 3861
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

Postby scorp84 » 2016-04-22 06:29

I am not talking about my email adress, I am talking about sending plain text passwords per email in general.

ofc you could send a random password to the user and even better, force the user to change it on the first login. But what is done, the forum let me use a strong password of my choice... and burns it by sending it in plaintext around the world. nice. Of course behaviour like this can be expected by some low standard/ early/testing websites, but this is a tech forum. I did not expect this here and I am very disappointed. Could you at least add a small hint to the registration form that the password chosen in the registration process will be send via plaintext?
scorp84
 
Posts: 3
Joined: 2016-04-21 14:11

Re: Forum Account password in plaintext mail

Postby GarryRicketson » 2016-04-22 07:45

If you have problems of any kind with your account...
========================
HOWTO contact forum moderators/admins
If you have problems with accounts or with posting, or having any other technical problem or question, please contact admin@forums.debian.net. The same repeat-guideline as for team@ exists here.
User avatar
GarryRicketson
 
Posts: 3861
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

Postby dasein » 2016-04-22 14:24

GarryRicketson wrote:How ever :
-- to my email address. This is not secure.


If your e-mail service or address is not secure, perhaps you should look for a more secure service. ? There is nothing we can do about that on our end.

All email is insecure. As an SMTP message is passed from server to server between origin and destination, it is sent "in the clear," and nothing is going to change that in the foreseeable future. However, it's not at all clear what the OP imagines as a viable SMTP-based alternative.
User avatar
dasein
 
Posts: 7371
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Forum Account password in plaintext mail

Postby GarryRicketson » 2016-04-22 16:26

All email is insecure

And that is why it is a good idea to change ones password , after they receive the one sent by e-mail.
User avatar
GarryRicketson
 
Posts: 3861
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

Postby alderaan » 2016-04-24 12:30

GarryRicketson wrote:
All email is insecure

And that is why it is a good idea to change ones password , after they receive the one sent by e-mail.


This is a minor problem as it easy for the user to change his password and that is supposed to happen periodically anyway. However setting a password and then sending it via email is something I never understood: What is the point?
alderaan
 
Posts: 90
Joined: 2013-07-25 20:20


Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable