lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1085200657.2171.12.camel@localhost.localdomain>
From: kye at lewislan.id.au (Kye Lewis)
Subject: Password in the Activations Email

Is this necessarily worthy of a post to FD?

I have never used that site, but I would only consider it evil if:

        1) I gave it a password at signup
        and
        2) It emailed that password back to me

        or

        3) The password was not changable

        or

        4) the signup procedure before the activation
        required enough information about you that someone
        intercepting the mail could cause you problems

	or

	5) the email sent out contained a considerable
	amount of, and potentially harmful, information
	about you or connected to you

(the first has happened to me only a small handful of times, i've never
had the others happen)

If one of those is the case, then it's terrible, but I still don't
believe it's worthy of a CC to full-disclosure.

However I think if it sends a temporary password out, and it asks you to
change it, then that is fine in my books; it's akin to sending out an
activation "code" that one must enter to activate an account.

-- 
Kye Lewis <kye@...islan.id.au>

On Sat, 2004-05-22 at 13:15, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
> Dear sir, 
>  
> I just recieved the activation email from th stormpay.com 
> the activation email contains the password to the site!
>  
> sir may i know why does the stormpay.com send the password by email
> with *all* the account details to the email address in plaintext that
> is not encrypted ?
>  
> i would like to know if during the transmission of the email if some
> one got hold of the mail and misused the account who would be
> responible for it ? 
>  
>  
> hoping the u would quickly.
> -aditya
> 
> Delivered using the Free Personal Edition of Mailtraq
> (www.mailtraq.com)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ