CBR Forum - Enthusiast forums for Honda CBR Owners

CBR Forum - Enthusiast forums for Honda CBR Owners (https://cbrforum.com/forum/)
-   Forum Help & Suggestion Center (https://cbrforum.com/forum/forum-help-suggestion-center-8/)
-   -   emailing users their passwords (https://cbrforum.com/forum/forum-help-suggestion-center-8/emailing-users-their-passwords-50896/)

willpower102 09-30-2007 11:44 AM
emailing users their passwords
 
DO NOT, for ANY REASON, EMAIL USERS THEIR PASSWORDS.

I just check my email to find that the system had sent my password to me plain as day where someone could have read it.
Set the forum up to recover passwords by randomly generated passes that the user must change manually and NEVER EMAIL THE USERS PASSWORD!
The forum admin shouldn't even be able to see the passwords, they should be stored encrypted and checked encrypted.

doncollins 09-30-2007 03:33 PM
RE: emailing users their passwords
 
None of us can see your password, we can change it, but we can not see the password your typed in. If you forget your password and use the "forgot password" option, I'm assuming it will send you your password. And it's been a couple of years since I had to create an account, but I think I remember the system sending you your login info after you create an account.

doncollins 09-30-2007 04:17 PM
RE: emailing users their passwords
 
I did a test for you, when you create a new account, the system does send you an email confirming the details and in plain text, you'll see your username and password.

willpower102 09-30-2007 04:33 PM
RE: emailing users their passwords
 
I did assume / hope that the passwords wouldn't be archived in a way that they could be seen. (I promise, I wasn't implying any malicious intent at all)
And sorry if it sound like I was yelling. I wasn't. Just trying to REALLY stress the importance of this matter.

Emails that contain passwords in them can, i think (it's been a minute), be scanned by traffic monitors for many businesses. Some crooked techs or spying bosses look for things like that. More importantly, if someone forgets to log out of their email account, the next person can just search for "password" and bam they have it from this forum's email.

Now of course, a smart person would use a different password for forums than they would for their bank and work information. But the problem is, some ridiculously large percent of people don't take those precautions. I know it's not necessarily our responsibility to protect people from themselves, and in a way it's about as effective as p!$$!ng in the ocean, BUT it's still good practice to do our apart and cover their tracks for them.

although there are several methods, the simplest is password RESET via email instead of "recovery". (if possible adding a security question would be even better) With this method, the user who forgot their password gets a one shot email that will allow them to reset their password. OR the email could send them a temp random password, something really long like x67rDm891Wq, that would allow them one logon and instantly make them change their password.

In any of the situations the users password is NEVER displayed or sent to them, and the reset method only works once. (then they have to go through the process again if they screw it up somehow, like set themselves a pass they can't remember) And of course, they can always set the pass back to something they currently use, or even the same password it was if they end up remembering it.

edit: I forgot to mention also that it would be a good idea to take out the initial password sent on signup as well. Just the username to that they can reset if they need to.


All times are GMT -5. The time now is 06:03 AM.


© 2024 MH Sub I, LLC dba Internet Brands