Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Forum Account password in plaintext mail

Code of conduct, suggestions, and information on forums.debian.net.
Post Reply
Message
Author
scorp84
Posts: 3
Joined: 2016-04-21 14:11

Forum Account password in plaintext mail

#1 Post by scorp84 »

Hi,

upon registration you send the password I have chosen for my account in plaintext per mail to my email adress. This is not secure. I can not understand that websites still do this these days.

geekosupremo
Posts: 154
Joined: 2014-10-30 23:17

Re: Forum Account password in plaintext mail

#2 Post by geekosupremo »

For what it's worth, none of this site is "secured" so a plain text password isn't the worst.

It's always possible to change your password once you're logged in if you don't want it to be the same as the emailed password. For myself I use a password manager and have it generate a new password every so often.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

#3 Post by GarryRicketson »

If that is a concern, then you can all ways change the password again, in the
<user control panel> >>Profile> Edit account settings


How ever :
-- to my email address. This is not secure.
If your e-mail service or address is not secure, perhaps you should look for a more secure service. ? There is nothing we can do about that on our end.

I can not understand that websites still do this these days.
Actually that is pretty standard for a forum, some generate a random password, and send that by e-mail, and then the same you can change it after you log in.
As far as "websites" go, most do not have a registration, login option, not to the website it's self, but it is normal procedure to need to register, get a password, and login , to use any forum, or comment area that might be part of that website.
Agreed , it would not be wise to use a insecure e-mail service, to register and receive a activation e-mail. But most people all ready know that, and know to simply change the password that was sent by e-mail. It is also a good idea to change your password every so often, if you are that worried about security.

scorp84
Posts: 3
Joined: 2016-04-21 14:11

Re: Forum Account password in plaintext mail

#4 Post by scorp84 »

I am not talking about my email adress, I am talking about sending plain text passwords per email in general.

ofc you could send a random password to the user and even better, force the user to change it on the first login. But what is done, the forum let me use a strong password of my choice... and burns it by sending it in plaintext around the world. nice. Of course behaviour like this can be expected by some low standard/ early/testing websites, but this is a tech forum. I did not expect this here and I am very disappointed. Could you at least add a small hint to the registration form that the password chosen in the registration process will be send via plaintext?

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

#5 Post by GarryRicketson »

If you have problems of any kind with your account...
========================
HOWTO contact forum moderators/admins
If you have problems with accounts or with posting, or having any other technical problem or question, please contact admin@forums.debian.net. The same repeat-guideline as for team@ exists here.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Forum Account password in plaintext mail

#6 Post by dasein »

GarryRicketson wrote:How ever :
-- to my email address. This is not secure.
If your e-mail service or address is not secure, perhaps you should look for a more secure service. ? There is nothing we can do about that on our end.
All email is insecure. As an SMTP message is passed from server to server between origin and destination, it is sent "in the clear," and nothing is going to change that in the foreseeable future. However, it's not at all clear what the OP imagines as a viable SMTP-based alternative.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Forum Account password in plaintext mail

#7 Post by GarryRicketson »

All email is insecure
And that is why it is a good idea to change ones password , after they receive the one sent by e-mail.

alderaan
Posts: 90
Joined: 2013-07-25 20:20

Re: Forum Account password in plaintext mail

#8 Post by alderaan »

GarryRicketson wrote:
All email is insecure
And that is why it is a good idea to change ones password , after they receive the one sent by e-mail.
This is a minor problem as it easy for the user to change his password and that is supposed to happen periodically anyway. However setting a password and then sending it via email is something I never understood: What is the point?

Post Reply