YouWave Forum

General Category => Suggestions and Feedback => Topic started by: osnelson on October 03, 2011, 07:11:26 PM

Title: Don't send passwords in cleartext!
Post by: osnelson on October 03, 2011, 07:11:26 PM
Please turn off the setting to send the user's password to a newly-created account's email address.  This is horrible security practice.   If a user is too dumb to securely note their password or remember it from 5 minutes ago, they can go through the hassle of resetting their password; Please don't punish the rest of us with an easily-searched password that can be used to compromise our account and any other accounts with identical (for shame) or similar to the password we use with you.

-----Original Message-----
From: YouWave Forum [mailto:info@youwave.com]
Sent: Monday, October 03, 2011 9:26 PM
To: <REDACTED>
Subject: Welcome to YouWave Forum

You are now registered with an account at YouWave Forum, osnelson!

Your account's username is osnelson and its password is <REDACTED BY OSNELSON>(which can be changed later.)

Before you can login, you first need to activate your account. To do so, please follow this link:

http://youwave.com/forum/index.php?action=activate;u=4668;code=<REDACTED>

Should you have any problems with activation, please use the code "<REDACTED>".

Regards,
The YouWave Forum Team.
Title: Re: Don't send passwords in cleartext!
Post by: YouWaveAdmin on October 04, 2011, 02:12:43 PM
Sorry. We agree that it is bad. We will change it. Probably we need to change SMF code to achieve it. There is no admin setting to disable it.

We do not know why SMF has it by design.
Title: Re: Don't send passwords in cleartext!
Post by: YouWaveAdmin on October 04, 2011, 02:42:13 PM
It's now changed.

We now show "its password is hidden" in the email.

BTW, please do not use "hidden" as your password. ;D