Emailing password on registration

Forum Moderators: phranque

Message Too Old, No Replies

Emailing password on registration

Musicarl

9:46 pm on Nov 28, 2005 (gmt 0)

Hello.

When a user registers on our site, we send them a welcome message with a reminder of their login and password. It's something we've been doing for years, but I got a note from a user who was disturbed by this. Is it still common practice to send the welcome message with the password, or should we get rid of it?

sonjay

10:05 pm on Nov 28, 2005 (gmt 0)

For me, that would depend on the type of site you're talking about.

On message boards and other non-financial places, I like getting the welcome e-mail with username/password. I file it away in my "subscriptions" mailbox so that I can always retrieve it later if I forget it.

However, if my bank sent me an e-mail with my login details in plain text, I'd be closing my account and finding another bank so fast your head would spin.

jatar_k

10:07 pm on Nov 28, 2005 (gmt 0)

I wouldn't put username and password and a login link in the same email

I also force them to change any password that has been sent in email on next login to the site

I never resend an old password, I create a new random password and then require them to change it on next login to the site

kaled

11:35 am on Nov 29, 2005 (gmt 0)

If you continue to do this, I suggest you state this on the signup page. I use several passwords - for instance, the password I use for WW is one I typically use for low/no security situations. I use other passwords for banking, etc. Some people may only ever use one password and may feel that their security is threatened if that password is emailed back to them unexpectedly.

Kaled.

Musicarl

9:54 pm on Nov 30, 2005 (gmt 0)

With the concerns about identity fraud, I'm starting to think that including the password is a bad idea. This would probably be a good time to tweak the welcome message anyway, and we can remind them how to retreive passwords.

I appreciate the good advice.

lasko

1:13 pm on Dec 1, 2005 (gmt 0)

I create a new random password and then require them to change it on next login to the site

I agree, normally is best to store passwords encrypted in a database that can't be decrypted i think MD5 is the one?

That way you have to reset passwords for them to login then renew onced logged in, again it depends on your site but you never know what direction your site will take so its good practice to have this specially when users will update content either BB or Advertisements etc.

I think the most widely used method these days is to use email address as username, a secret question for reminders and an encrypted password between 6 and 15 characters.

victor

1:59 pm on Dec 1, 2005 (gmt 0)

Yep. Never send an existing password to a user, especially if it was one they chose themselves.

If they have poor password security (ie use the same password for more than one site) you will be exposing a personal detail with wider ramifications than just your site's access.

If you do send a password, only do so as part of a "forgotten password" procedure in which you are generating a new password. Don't mention the username in that email.