Password in Welcome Email!

For discussions about security.
Post Reply

Are You Comfortable w/ Your Password in Welcome Email?

Yes
3
50%
No
1
17%
I do not or had not even realized what the problem could be
0
No votes
I Never Even Thought About It
1
17%
Other- Please Specify and Explain
1
17%
 
Total votes: 6

Message
Author
User avatar
Digital_Dissident
Posts: 25
Joined: Tue 02 Mar 2010, 10:49
Location: U.S.- E. Coast

Password in Welcome Email!

#1 Post by Digital_Dissident »

I was dismayed to find the password I had just registered with in the welcome email I received upon registration to this site.

Only a few out of the many different sites I have registered with have included the password in the welcome or confirmation email.

The security implications should be obvious.

bugman

#2 Post by bugman »

are you kidding?

i get passwords in emails for things like forums all the time

it's just a forum, don't post your social security number and bank account information and all will probably be well

[unless you want to]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#3 Post by Lobster »

The security implications should be obvious
Only for the purposes of FUD and security trolling

I am wondering if the current crop of FUD is a sponsored
agenda or just deep concern for the well being of Puppys?

Not obvious to me either
Mind you I have been running as root for the last 5 years . . ..
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

tlchost
Posts: 2057
Joined: Sun 05 Aug 2007, 23:26
Location: Baltimore, Maryland USA
Contact:

Re: Password in Welcome Email!

#4 Post by tlchost »

Digital_Dissident wrote:I was dismayed to find the password I had just registered with in the welcome email I received upon registration to this site.

The security implications should be obvious.
A large number of furums do send the passwords in plain text in the welcome mail. It's not so much a function of the particular site, but more of the application that is in use for the forum.

Amazes me that the very large user base here hasn't revolted because of the obvious security implications...or could it be that you're dancing to the tune of a different drummer.

Thom

bugman

#5 Post by bugman »

web hosting services do this too, that would seem to be a much bigger problem

what is someone going to do with my password here--write a love letter from me to alienjeff?

on further reflection--this is a very serious problem!

:wink:

snowshaker
Posts: 23
Joined: Sun 24 Aug 2008, 15:58
Location: Midwesterner running Slacko Puppy 5.3

#6 Post by snowshaker »

Your password comes in the mail, and you change it right away.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#7 Post by Lobster »

Many thanks snowshaker,

Makes sense.
I think that is what most of us do
and (believe it or not) we probably don't change our password every month . . .

A lot of services work this way
If anyone still has concerns please write to John Murga, Flash or Pizzasgood.

I hope the original poster was sincere?
It just seems we have a crop of posts claiming all kinds of 'security' problems' that on investigation are not so serious.

As a special service to the tin hats I would suggest this is a distraction
to the real issues and areas of vulnerability . . .

Puppy Linux
with added geekiness
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Digital_Dissident
Posts: 25
Joined: Tue 02 Mar 2010, 10:49
Location: U.S.- E. Coast

Sorry for Coming Across The Wrong Way

#8 Post by Digital_Dissident »

Hello again,

Let me first say that I'm sorry for just jumping-in this way that could have come across confrontational or troll-like. I had browsed the forum and read a number of posts for some time before finally registering now and was actually almost ready to post regarding dial-up and internal Winmodems when I got distracted and diverted--first by this password issue and then by a number of other things.

I realize that this practice of including the password in the registration email is not unique to this site and obviously does not pose the same risks as it would for a commerce site or the like, where sensitive information is exchanged.

Nonetheless, it does pose some concerns.

Someone with malicious intent toward a registered forum user could wreak quite a bit of mischief through impersonating him or her.

Another concern is that there will inevitably be some people who will register with the same password that they already use for one or more banking, commerce or other sites where sensitive data is involved.
snowshaker wrote:Your password comes in the mail, and you change it right away.
Well, first of all, are you sure that the new one isn't emailed as well whenever one changes their password?

Assuming that's not a problem, what you suggest could very well be a satisfactory solution in many, if not most, cases-- assuming one receives as well as opens the email right away and sees the password in it.

But even then, a case where the same password was already protecting sensitive data at other sites could still pose a problem.

In any event, as I had noted, I have found it to be the exception rather than the rule for a site to email the password upon registration. I was therefore sincerely taken aback and wanted to see what others felt about this. This seemed like an appropriate section of the forum for such a discussion and I appreciate that people responded.

I hope people won't mind my asking about something else, while I'm at it.

It seems that by default, one's email address is displayed at the bottom of each post one makes. I only realized and changed this after posting. This is also different from the other forums I have experience with, where by default email addresses are not displayed and I would like to hear what others feel about this.

Thanks for your patience and indulgence and for all that so many of you do not only for Puppy but for the larger GNU/Linux and open source community/movement in general. (at least by extension)

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#9 Post by Lobster »

Many thanks for your response Digital_Dissident,

Tin foil hats, the cautious, security aware and the paranoid
are all welcome at Puppy :wink:

Your courteous tone is very welcome

I look forward to more of your posts and hope your questions will be addressed :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#10 Post by Pizzasgood »

FWIW, we aren't using SSL, so every time you login the password is sent over the network in plaintext. (Same goes for any other forum that doesn't use SSL to login).

I do agree that we probably shouldn't send those emails, and that the email should be not visible by default (though the first thing anybody should do upon registering for a forum is to enter their control panel and set their options).
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

Post Reply