General discussion


Is Emailing passwords really a good idea?

By Tink! ·
I know there are sites out there that when you register, they email you your password.

Or, if you forget your password, they'll email it to you.

Is this really an ok process?

The reason I ask is because I'm currently developing a member area of our website where the user would have to login. I am trying to decide how to handle the passwords.

Note: I am not a learned web developer, I am one who is learning on the fly.

Right now the Register Form info is sent to me via an email. If a user chose their password using this form, I get the feeling that the info could be compromised. Am I right? What if it was on a secure server?

Then the other part - if they forget their password, is it ok if I email it to them upon request?

Email just seems rather risky to me.
I read once that you should aliken sending an email to sending a postcard in the mail. Any hands that it goes through can see the message.

The site is using ASP pages with an Access DB. If you have any suggestions of how to handle the passwords other than emailing them, I'd be much obliged!

Tink :)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

If it is an internal page

by The Scummy One In reply to Is Emailing passwords rea ...

for internal employees, why not send the password to their voicemail instead?
Do they have password protected vmail? If security is an issue, and they do, this is probably the best route.

Collapse -

Not internal

by Tink! In reply to If it is an internal page

It's the business website.

We're (er...I'm) trying to develop an area of the site where our clients can login to view client specific information.

Collapse -

In that case, it may be best to send a link -- EDITED

by The Scummy One In reply to Not internal

where they need to verify some information on a server page, before their temp PW is revealed.
Also note -- if this PW is comprimised, it is only a temp PW, and they should be forced to change it right after logon.
Sending it through mail is no tthe best option, but since it is temp, it isnt a huge risk either.

Edit: Also note that ANY time that there are any account changes, no matter how minor it may seem, an email is sent to the registered email address(s) for said user.
This should not have any information about the changed information, but should reference the type of change that was made, or at least that a change was made to their account.

Collapse -


by Tink! In reply to In that case, it may be b ...

Ok, let me clarify. I don't have a setup that STORES passwords or any other info from the site to the DB. Currently it only Retrieves data from the DB.

I am manually entering user ids, passwords and the client files.

When the client logs in, the site verifies their user id and password with what is stored in the DB, then displays the files for that client.

So, at the moment, I do not have a way for them to CHANGE their password, other than contacting me.

And the sites I mentioned before - they dont' just send you a temp password - they send you THE password. As well there are those that send BOTH the user id & password in the register verification email!

I need the simplest, method of sending a user their password and the user picking their password.

Collapse -

In this case, I think it may be better for

by The Scummy One In reply to eep

someone else to answer. Sorry :)

Collapse -

E mailing passwords not a good idea

by harsha sharma In reply to Is Emailing passwords rea ...

Yes E mailing the passwords is not a good idea there may be a chance of phishing the mails hence you can deal with the person through a call by referring all personal details and the security details of the person.
I think this is the best idea from my side...........

Related Discussions

Related Forums