Re: Password in the Activations Email

[Kye Lewis <kye () lewislan id au>]

Is this necessarily worthy of a post to FD?

I have never used that site, but I would only consider it evil if:

        1) I gave it a password at signup
        and
        2) It emailed that password back to me

        or

        3) The password was not changable

        or

        4) the signup procedure before the activation
        required enough information about you that someone
        intercepting the mail could cause you problems

        or

        5) the email sent out contained a considerable
        amount of, and potentially harmful, information
        about you or connected to you

(the first has happened to me only a small handful of times, i've never
had the others happen)

If one of those is the case, then it's terrible, but I still don't
believe it's worthy of a CC to full-disclosure.

However I think if it sends a temporary password out, and it asks you to
change it, then that is fine in my books; it's akin to sending out an
activation "code" that one must enter to activate an account.

-- 
Kye Lewis <kye () lewislan id au>

On Sat, 2004-05-22 at 13:15, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
> Dear sir, 
>  
> I just recieved the activation email from th stormpay.com 
> the activation email contains the password to the site!
>  
> sir may i know why does the stormpay.com send the password by email
> with *all* the account details to the email address in plaintext that
> is not encrypted ?
>  
> i would like to know if during the transmission of the email if some
> one got hold of the mail and misused the account who would be
> responible for it ? 
>  
>  
> hoping the u would quickly.
> -aditya
>
> Delivered using the Free Personal Edition of Mailtraq
> (www.mailtraq.com)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html