PDA

View Full Version : sending the password in email



aramisun
07-13-2007, 20:35
You guys are funny!
<DIV>You send me an email with my username and password in cleartext so that the world can read it and then tell me that you guys can't read it because it's encrypted.</DIV>
<DIV>Geez.. just search your outgoing email for username="whatever" and there it is.</DIV>
<DIV>There has to be a better method than sending passwords via email along with the username. Your's is the only site that I know of that does this.</DIV>
<DIV>You guys do this everytime I make an order as well. </DIV>
<DIV>I have a special password for scubatoys now.</DIV>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>
<DIV></DIV>

ScubaToys Larry
07-13-2007, 20:59
Yea, I realize it's set up that way... On the ScubaToys site - that info is kept separate than any credit card info - so nothing matches up there...

As far as in the forum, I guess I can shut it down, but even when I've lost passwords at sites like american airlines, and others, I can answer questions, then they email me my password.

Perhaps I should turn this off if you feel it's a problem, but we've yet to ever have it be one. I'm not sure if anyone has experienced a problem with this, but if people think it's an issue - then it's an issue to me, and I can find the code and take it out if you think that's better.

ScubaToys Larry
07-13-2007, 21:46
<div ="msg" style="overflow: auto; : left;"></span></span>I've been playing with it, and found out that it does send an email
with your initial registration. If, however you go in and change your
password - it doesn't.

I know for me, I'm terrible about
forgetting passwords, and having this info sent in an email does not
bother me - yet I would get a bit upset if, for example, my credit card
info was in an email (which one of our vendors did...)

I can turn this off - or put a note on the registration page explaining how it works.

If folks want to give me your opinion on the best way to do it, I'll set it up that way...

1)leave it alone
2)don't send the password
3)send it, but give notice that it will be sent

Let me know!


</div>

aramisun
07-13-2007, 21:47
<DIV>Hi Larry,</DIV>
<DIV>As an IT guy in a classified industry I am super aware of how much actual activity there is going on to seek out andmisuse information like this. If someone uses their same username and password for other things, it could be a real potential issue. </DIV>
<DIV></DIV>
<DIV>Most people will not even realize it's a problem and for most people it will not be a problem, but that stuff that flies through the internet in cleartextis being stashed somewhere (lots of places). People should notfeel comfortable with their usernames and passwords being basically public to people with the right tools and the wrong ambitions. It's well known that most people reuse the same username and passwords over and over. </DIV>
<DIV></DIV>
<DIV>I would suggest that you follow more stringent security practices. At least don't send the password unsolicited in the same email (and same line) as the username :)</DIV>
<DIV></DIV>
<DIV>It's difficult to believe that Iam the only one that's concerned. PerhapsI am the only one aware. I would like to hear from others.</DIV>
<DIV>Thanks for listening.</DIV>

ScubaToys Larry
07-13-2007, 23:16
aramisun, thank you for your time and input on this.

I have gone in and taken the password out of the welcoming email, and instead, put in that we have not sent it for security reasons, and if they forget it, they can use the forgot password function.

Again, it is input from members like you that will help me make this work.

Thanks!