Sending password via e-mail after registration

Karl02 · Post by **Karl02** » Mon Sep 03, 2007 2:35 pm

I don't think that it's a good idea to automatically send the password in cleartext to a new user after he has registered. It's not necessary and it's a security risk. Could somebody please turn that off?

ckit · Post by **ckit** » Mon Sep 03, 2007 2:50 pm

I think the idea is that you go and change your password after it's been sent to you which should only happen when you first register with the forum.

helmut · Post by **helmut** » Mon Sep 03, 2007 6:40 pm

For forums it is pretty much standard to send a confirmation mail with login and password. Sure enough this is not very safe, but this forum has a quite different level of security than an online banking account for example.

So all I can say is:
Neither http protocol (=normal webpages) nor e-mail is safe, people should be aware of this. Never use one single password for everything.
Only https is encrypted and offers real security.

Karl02 · Post by **Karl02** » Fri Sep 07, 2007 9:11 am

Sending a confirmation mail makes sense, but it's not necessary to include the password. Of course the security level of a forum is lower than that of a banking account, but in my opinion it should not be unnecessarily lowered further.

I hope the inclusion of the password in the confirmation mail can be turned off in the forum software. If not, it should at least be mentioned on the registration page that the chosen password will be included in the confirmation mail. Furthermore, an according request should be send to the forum software forum ... Hmm, it seems that there has been some discussion already:

- Password sent back by phpBB in welcome email
- Registration passwords in the clear.