General discussion

  • Creator
    Topic
  • #2206645

    Is Emailing passwords really a good idea?

    Locked

    by tink! ·

    I know there are sites out there that when you register, they email you your password.

    Or, if you forget your password, they’ll email it to you.

    Is this really an ok process?

    The reason I ask is because I’m currently developing a member area of our website where the user would have to login. I am trying to decide how to handle the passwords.

    [i]Note: I am not a learned web developer, I am one who is learning on the fly. [/i]

    Right now the Register Form info is sent to me via an email. If a user chose their password using this form, I get the feeling that the info could be compromised. Am I right? What if it was on a secure server?

    Then the other part – if they forget their password, is it ok if I email it to them upon request?

    Email just seems rather risky to me.
    I read once that you should aliken sending an email to sending a postcard in the mail. Any hands that it goes through can see the message.

    The site is using ASP pages with an Access DB. If you have any suggestions of how to handle the passwords other than emailing them, I’d be much obliged!

    Tink 🙂

All Comments

  • Author
    Replies
    • #2836269

      If it is an internal page

      by the scummy one ·

      In reply to Is Emailing passwords really a good idea?

      for internal employees, why not send the password to their voicemail instead?
      Do they have password protected vmail? If security is an issue, and they do, this is probably the best route.

      • #2836267

        Not internal

        by tink! ·

        In reply to If it is an internal page

        It’s the business website.

        We’re (er…I’m) trying to develop an area of the site where our clients can login to view client specific information.

        • #2836265

          In that case, it may be best to send a link — EDITED

          by the scummy one ·

          In reply to Not internal

          where they need to verify some information on a server page, before their temp PW is revealed.
          Also note — if this PW is comprimised, it is only a temp PW, and they should be forced to change it right after logon.
          Sending it through mail is no tthe best option, but since it is temp, it isnt a huge risk either.

          Edit: Also note that ANY time that there are any account changes, no matter how minor it may seem, an email is sent to the registered email address(s) for said user.
          This should not have any information about the changed information, but should reference the type of change that was made, or at least that a change was made to their account.

        • #2836260

          eep

          by tink! ·

          In reply to In that case, it may be best to send a link — EDITED

          Ok, let me clarify. I don’t have a setup that STORES passwords or any other info from the site to the DB. Currently it only Retrieves data from the DB.

          I am manually entering user ids, passwords and the client files.

          When the client logs in, the site verifies their user id and password with what is stored in the DB, then displays the files for that client.

          So, at the moment, I do not have a way for them to CHANGE their password, other than contacting me.

          And the sites I mentioned before – they dont’ just send you a temp password – they send you THE password. As well there are those that send BOTH the user id & password in the register verification email!

          I need the [b]simplest[/b], method of sending a user their password and the user picking their password.

        • #2836256

          In this case, I think it may be better for

          by the scummy one ·

          In reply to eep

          someone else to answer. Sorry 🙂

    • #2836262

      E mailing passwords not a good idea

      by harsha sharma ·

      In reply to Is Emailing passwords really a good idea?

      Yes E mailing the passwords is not a good idea there may be a chance of phishing the mails hence you can deal with the person through a call by referring all personal details and the security details of the person.
      I think this is the best idea from my side………..

Viewing 1 reply thread