Please don't send password in email

CellarTracker Main Site

Please don't send password in email

View related threads: (in this forum | in all forums)

Logged in as: Guest

Users viewing this topic: none

Printable Version

All Forums >> [Cellar Talk] >> CellarTracker Support >> Please don't send password in email

Page: [1]

Message

<< Older Topic Newer Topic >>

Please don't send password in email - 11/26/2007 9:40:34 AM

plusdevin

Posts: 3
Joined: 11/26/2007
Status: offline

I recently changed my account, and I had my username and password emailed to me in cleartext. This is really bad. Luckily, I didn't use the same password as for other accounts. But really you should never send a password via email. This should always remain a secret. Instead you should allow users to reset their password.

Post #: 1

RE: Please don't send password in email - 11/26/2007 1:55:57 PM

Schu

Posts: 104
Joined: 12/3/2005
From: Gaithersburg, MD
Status: offline

I'm pretty sure Eric stated on the sign up page that the password is not encrypted and is stored in plaintext. Maybe that has changed since I originally signed up, but we were all warned about this at some point.

Eric, I can pull together some of my code in case you want to do a 1-way hash for the passwords and then add in a password reset page for those who have forgotten their passwords. I have a fairly basic version that I use for a few of my sites.

(in reply to plusdevin)

Post #: 2

RE: Please don't send password in email - 11/26/2007 3:35:45 PM

Eric

Posts: 17308
Joined: 10/10/2003
From: Seattle, WA
Status: offline

Schu,

I have been meaning for quite some time to switch to storing a hash and doing challenge/response questions for password resets. And ideally to login on an SSL page and then redirect to non-SSL pages just sending the hash back and forth. It's just enough code (and will require everyone to log back in once) that I have been holding off until I can do the whole scenario 'right.' And yes, when you register, there is a really clear warning that you should not use a specially 'secure' password.

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Schu)

Post #: 3

RE: Please don't send password in email - 9/11/2011 8:34:39 PM

theory

Posts: 1
Joined: 9/11/2011
Status: offline

Hey Eric, any progress on getting SSL or TLS support? I'd like to use the CSV export interface, but am wary of including my password in the URL. If the site used SSL and accepted a POST request (or used basic auth), I could authenticate and get my data without my password appearing in the clear on the wire.

Thanks,

David

(in reply to Eric)

Post #: 4

RE: Please don't send password in email - 9/11/2011 8:53:57 PM

Eric

Posts: 17308
Joined: 10/10/2003
From: Seattle, WA
Status: offline

No changes here.

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to theory)

Post #: 5

RE: Please don't send password in email - 10/28/2011 12:28:29 PM

Eric

Posts: 17308
Joined: 10/10/2003
From: Seattle, WA
Status: offline

FYI, following up on this, as of last night CellarTracker has moved to industry best practice for password and cookie handling. https://www.cellartracker.com/forum/tm.asp?m=166607

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)

Post #: 6