Forum Signup

[Ryan]

Not really sure if this is the best place for this topic so please feel free to move it.
 
Having recently signed up for the forum I was disappointed to see my password was sent via email in cleartext.  I feel that this is a bit of a security risk and would ask that, if possible, the account activation mail could be altered so that it does not contain the password.  I would also like to hear other people's opinion on this issue so please post your comments.

ps In an ideal world the site would have its own ssl certificate, but having been involved with setting one up for another site I know how much of a pain it can be, therefore I understand that this will most probably not happen.

[Humbug]

tbh i never noticed as we had our accounts moved over from our old site to phpbb3.  i agree that the password should not be sent in the sign up email.. only on request if the password is forgotten.

/me slaps aZ

[Ryan]

Thanks for your response, I know it was done on a different forum by altering 1 line in the php file the was used to generate the activation mail, although this other forum uses simple machine forums.  Hopefully it could be achieved in a similar way with phpbb.  I understand that this would increase the amount of work each time an update is released, but if the solution is the same it should only take a few minutes.

You will probably be sick of me going on about this so I'm going to shutup now.  Perhaps I'm just a bit over cautious when it comes to security.  Thanks again for putting up with my moans and for the quick response.

[LooseCannon]

Hello and welcome Ryan aka Storm.  

Hope you didn't use the same pswd as for ya online banking.  ...  I recommend PasswordSafe!

[Zofo]

Change your password


see problem solved, no it ok no need to thank me, its what I do  

[Ryan]

I picked one that is used in only a few places and is only really meant for forums.  I would never use the same one for my bank account as a fourm

[Arfa]

Welcome to the forums Ryan  

[Ryan]

Thanks

[Paranoia]

I must admit I do find it disconcerting when I get an email from somewhere with my password in it.

Generally I expect either to:

Not be sent my password at all, but an activation link to confirm my email address.
or:
Don't let me choose my password, but send me a random one - which I am forced to change on first sign in.

Tal's point about Effort/Time vs Reward is a completely valid one, though, and I don't think this is something that should be prioritised.

How easy would it be to add a note underneath the password field on registration saying "password is emailed in plain text after registration".? As a compromise?  

[Ryan]

That sounds good, if users are aware that the password will be mailed to them they could just use a random one for signup then change it after activation

[Witness]

I don't really like the idea of being mailed your password, but due to this being only a gaming forum then I think its fine. A security risk, but not that important compared to financial passwords. Every1 should use different passwords for different things anyway