Registration: Don't Send Username and Password In Email
Post new topic    Reply to topic    MusicLab Forum Index » Suggestions
View previous topic :: View next topic

42
Remove Personal Account Info From Confirmation Emails?
Yes, remove both Username and Password
100%
 100%  [ 1 ]
Yes, but just remove Password
0%
 0%  [ 0 ]
I don't care
0%
 0%  [ 0 ]
Total Votes : 1

Author Message
AaronSymons


Joined: 11 Jan 2019
Posts: 2
PostPosted: Fri Jan 11, 2019 5:31 pm    Post subject: Registration: Don't Send Username and Password In Email Reply with quote
Hi,

I just registered to the forum and received a confirmation email that contained both my username and password - please no!

I hate complaining, but I'm a software developer and understand some security implications here.

Creating a topic for this is probably considered inappropriate, but I feel that my stance on this should be heard and it would be interesting for others to respond to this with their opinion.

Common practice, when sending a confirmation email, is to supply the new user with a response link containing a confirmation token that is linked with the newly created/pending account. Providing personal account information in an email is not secure and is unnecessary - at some point we need to trust that the user will remember the information they supplied.

The only time a password should be sent via email is when the user needs to recover their account, and the user should be forced to supply a different password during the next steps of recovery. Also, the password supplied here should have an expiration.

Anything sent, stored or easily viewable as plain text is easily compromised. This is why we have things like data encryption and links back to the API itself for validation.

I'll be honest, this has made me wonder about how this forum stores and manages account information - I certainly hope they're only storing the salt and hash for the password in their database and not just the plain text password! Even a forum, which should have no bank account details linked to its user accounts, should still practice good security - any website or web application which handles users, really!

I don't wish to ruffle and feathers, and certainly don't want to start off on the wrong foot. I just see this as bad practice and insecure.

I love the MusicLab products, and I'd like to have a good relationship with both MusicLab and other users. After all, we're all here due to a common passion! Smile

So, whoever you are reading this, please let me know your opinions with regards to this, and let's discuss.

Thanks for reading Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic    Reply to topic    MusicLab Forum Index » Suggestions All times are GMT - 4 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
© MusicLab, 2015