[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1085200657.2171.12.camel@localhost.localdomain>
From: kye at lewislan.id.au (Kye Lewis)
Subject: Password in the Activations Email
Is this necessarily worthy of a post to FD?
I have never used that site, but I would only consider it evil if:
1) I gave it a password at signup
and
2) It emailed that password back to me
or
3) The password was not changable
or
4) the signup procedure before the activation
required enough information about you that someone
intercepting the mail could cause you problems
or
5) the email sent out contained a considerable
amount of, and potentially harmful, information
about you or connected to you
(the first has happened to me only a small handful of times, i've never
had the others happen)
If one of those is the case, then it's terrible, but I still don't
believe it's worthy of a CC to full-disclosure.
However I think if it sends a temporary password out, and it asks you to
change it, then that is fine in my books; it's akin to sending out an
activation "code" that one must enter to activate an account.
--
Kye Lewis <kye@...islan.id.au>
On Sat, 2004-05-22 at 13:15, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
> Dear sir,
>
> I just recieved the activation email from th stormpay.com
> the activation email contains the password to the site!
>
> sir may i know why does the stormpay.com send the password by email
> with *all* the account details to the email address in plaintext that
> is not encrypted ?
>
> i would like to know if during the transmission of the email if some
> one got hold of the mail and misused the account who would be
> responible for it ?
>
>
> hoping the u would quickly.
> -aditya
>
> Delivered using the Free Personal Edition of Mailtraq
> (www.mailtraq.com)
Powered by blists - more mailing lists