Full Disclosure mailing list archives
Re: Password in the Activations Email
From: Kye Lewis <kye () lewislan id au>
Date: Sat, 22 May 2004 14:37:37 +1000
Is this necessarily worthy of a post to FD? I have never used that site, but I would only consider it evil if: 1) I gave it a password at signup and 2) It emailed that password back to me or 3) The password was not changable or 4) the signup procedure before the activation required enough information about you that someone intercepting the mail could cause you problems or 5) the email sent out contained a considerable amount of, and potentially harmful, information about you or connected to you (the first has happened to me only a small handful of times, i've never had the others happen) If one of those is the case, then it's terrible, but I still don't believe it's worthy of a CC to full-disclosure. However I think if it sends a temporary password out, and it asks you to change it, then that is fine in my books; it's akin to sending out an activation "code" that one must enter to activate an account. -- Kye Lewis <kye () lewislan id au> On Sat, 2004-05-22 at 13:15, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
Dear sir, I just recieved the activation email from th stormpay.com the activation email contains the password to the site! sir may i know why does the stormpay.com send the password by email with *all* the account details to the email address in plaintext that is not encrypted ? i would like to know if during the transmission of the email if some one got hold of the mail and misused the account who would be responible for it ? hoping the u would quickly. -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Password in the Activations Email Aditya, ALD [Aditya Lalit Deshmukh] (May 21)
- Re: Password in the Activations Email Kye Lewis (May 21)
- <Possible follow-ups>
- RE: Password in the Activations Email Aditya, ALD [Aditya Lalit Deshmukh] (May 22)