Please don't send password in email (Full Version)

All Forums >> [Cellar Talk] >> CellarTracker Support



Message

plusdevin -> Please don't send password in email (11/26/2007 9:40:34 AM)

I recently changed my account, and I had my username and password emailed to me in cleartext. This is really bad. Luckily, I didn't use the same password as for other accounts. But really you should never send a password via email. This should always remain a secret. Instead you should allow users to reset their password.



Schu -> RE: Please don't send password in email (11/26/2007 1:55:57 PM)

I'm pretty sure Eric stated on the sign up page that the password is not encrypted and is stored in plaintext.  Maybe that has changed since I originally signed up, but we were all warned about this at some point.

Eric, I can pull together some of my code in case you want to do a 1-way hash for the passwords and then add in a password reset page for those who have forgotten their passwords.  I have a fairly basic version that I use for a few of my sites.



Eric -> RE: Please don't send password in email (11/26/2007 3:35:45 PM)

Schu,

I have been meaning for quite some time to switch to storing a hash and doing challenge/response questions for password resets. And ideally to login on an SSL page and then redirect to non-SSL pages just sending the hash back and forth. It's just enough code (and will require everyone to log back in once) that I have been holding off until I can do the whole scenario 'right.' And yes, when you register, there is a really clear warning that you should not use a specially 'secure' password.



theory -> RE: Please don't send password in email (9/11/2011 8:34:39 PM)

Hey Eric, any progress on getting SSL or TLS support? I'd like to use the CSV export interface, but am wary of including my password in the URL. If the site used SSL and accepted a POST request (or used basic auth), I could authenticate and get my data without my password appearing in the clear on the wire.

Thanks,

David



Eric -> RE: Please don't send password in email (9/11/2011 8:53:57 PM)

No changes here.



Eric -> RE: Please don't send password in email (10/28/2011 12:28:29 PM)

FYI, following up on this, as of last night CellarTracker has moved to industry best practice for password and cookie handling.   https://www.cellartracker.com/forum/tm.asp?m=166607



Page: [1]

Valid CSS!




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI
0.109375