Please do not send password

[noscript_user]

Dear Forum-Admins,

could you please change the forum setting to not send the password in the welcome mail. You may know that an unencrypted e-mail is more open than a postcard. This would save users from changing their password again after having registered.

Thanks

[Giorgio Maone]

eh eh, I'll do as soon as the forum is sensible enough to deserve SSL encryption on its own.
You know that sending passwords in clear to a website is like shouting them from your window...

[nagan]

Dear Forum-Admins,

could you please change the forum setting to not send the password in the welcome mail. You may know that an unencrypted e-mail is more open than a postcard. This would save users from changing their password again after having registered.

Thanks

But sometimes it helps People with astonishing memory like me!

[GµårÐïåñ]

I personally feel that since the email is no less secure than regular http authentication, as Giorgio pointed out, having a record of your credentials when beginning might be helpful, as nagan pointed out. Ultimately common sense and good practices prevail and having your password in an email or posting it to a website using no SSL will not be a big issue generally. I have been getting my credentials for the most sensitive things, like banks, credit cards, so on and so forth and in all my years never had a problem; not saying a problem is not possible or that forums should be treated any less, just saying don't worry too much.

[noscript_user]

eh eh, I'll do as soon as the forum is sensible enough to deserve SSL encryption on its own.
You know that sending passwords in clear to a website is like shouting them from your window...

oh yes, of course, you are right. then, I dont need to care for my password anymore.

[Tom T.]

I have been getting my credentials for the most sensitive things, like banks, credit cards, so on and so forth and in all my years never had a problem; not saying a problem is not possible or that forums should be treated any less, just saying don't worry too much.

OMG, I would *never* receive a bank or CC credential in email. Usually, they do things like authenticate you over the phone, give you a temp pwd or pin, you login and change it immediately. Then only *you* know it, and if the site is set up properly, they don't know it (securely hashed in database). Sometimes the bank IT dept has access to it; presumably they're well-screened, one hopes. The other way is they send it in US Mail, which is still pretty secure, in an opaque envelope with a non-attention-getting return address. And some other ways, too. But *never* in email. The smartest banks don't even communicate with you over open e-mail (other than for ads lol) -- they have a secure messaging system inside your SSL login account. MHO/YMMV.

oh yes, of course, you are right. then, I dont need to care for my password anymore.

Not sure if you're being sarcastic there or serious, but no one is advising you to post it on the Web or on restroom walls. The worst that could happen here is that someone who got it could post bad things in your name and we'd be mad at you. OTOH, if someone compromised the Admin or a Moderator account..... hmmm...
FWIW, Wikipedia offers a secure login page and a non-secure; their admins are recommended to use the secure. (There had been a series of compromises.) They also let you post an SHA-512 (or other) hash of some secret only you know, so if the acct is compromised, presumably only you would know the secret that would produce that hash output, proving that you're you and the haxxor isn't. Cheers!

[noscript_user]

Not sure if you're being sarcastic there or serious, but no one is advising you to post it on the Web or on restroom walls.

It doesn´t matter whether I am serious or sarcastic.

You know that sending passwords in clear to a website is like shouting them from your window...

Unfortunately, this fact stated by Giorgio is simply true.

The worst that could happen here is that someone who got it could post bad things in your name and we'd be mad at you.

So, as an user, what could I do? I have choosen a good password, and was a little concerned cause it was sent in an e-mail, but there is nothing more I could do. What would you do? Would be grateful for some idea.

[Giorgio Maone]

So, as an user, what could I do? I have choosen a good password, and was a little concerned cause it was sent in an e-mail, but there is nothing more I could do.

You did it right.
As you can see, this forum is not served over HTTPS, which means accounts (even my own) are vulnerable to man in the middle attacks, therefore there's no point in not sending out otherwise useful email notification.
I don't care too much: as long as my DNS (djbdns) is not poisoned and my ISP is not interested in reading my forum password, I'm OK with that and won't login from public WI-FI.
Should this forum become a more interesting target for attackers, I may put it on SSL.

What would you do? Would be grateful for some idea.

As a suggestion, whenever you need to create an account on a site which doesn't use SSL, choose a good password but very different from those you use elsewhere...

[Tom T.]

Would be grateful for some idea.

There is a very nice random-password generator (ok, technically it's pseudo-random, but of crypto-strength randomness) at http://www.grc.com/pass. Served over SSL, newly generated every time you refresh the page, page has an expiration date of 1999 to prevent replay attacks, choice of alphanumeric, alpha+keyboard (!@#$%^&*( etc), or hex; each string is 63-64 characters, so you can copy only what length you need. Although I would consider Steve Gibson highly trustworthy (at least as far as passwords; he's controversial at times on other issues), even he doesn't know which characters you chose from the 190 offered, and you can refresh the page as often as you like etc.

Also, Password Safe not only securely stores your logins for up to hundreds of sites, it contains its own PW generator, which lets you define the rules (length, upper/lower case, numbers, keyboard characters yes/no) to meet each site's requirements and your own. Totally free (like NS and Flashgot).

For sending sensitive email, Hushmail provides fully encrypted email, end-to-end security over SSL, without the degree of user knowledge, installation, or configuration needed by PGP or GPG. Free so long as you login at least once every three weeks; premium services offered but not required. Free version fully functional, not crippleware, just a low storage limit. (If it's that sensitive, you probably don't want to store it remotely anyway.)

DISCLAIMER: Neither this site nor its Admin/Developer can endorse or be responsible for any software or service provided by any other party. The above provided for informational purposes from personal experience only, in the hope that it may be of use. Investigate thoroughly and use at your own risk.

Thanks for your interest in security.

[GµårÐïåñ]

@Tom, I see you got to play with your user agent string and I do try to write properly but sometimes miss the mark

If I may also recommend a solution that is NOT free but absolutely awesome, RoboForm which I use and it effectively bypasses any type of keylogger or screen monitors because it will submit credentials for you and its very secure, encrypted and I have used it for so long, I almost can't remember some of my credentials as a result. But making unique passwords for each site to ensure that I don't leave myself open by reusing the same pass that might get compromised, it is very very helpful. Also, as long as you have 100 or less passcards as they call it, Roboform is actually free but with registered version which is a one time fee and you have it for life, you can have unlimited and you can have some customization options too, very clever tool and has a built-in password generator using very secure encryption ciphers.

[therube]

Some might find interesting, Terrible security breech at google.

The gist of the matter seems to be ...

* Virgin Mobile sends login credentials to "email accounts"
* Google does not differentiate email addresses based upon (dots) in the name
* So geor.maon@gmail.com is the same as geormaon@gmail.com
* Someone signing up for a VM account, either entered incorrectly, or made up an email address - one that happened to be a valid address for someone else
* That someone else ended up with the (valid) login credentials for some VM users account

Anyhow, in the scheme of things, prudent to use a unique password when signing up here - or anywhere else for that matter.


Google's handling of (dots) & note that there may be some variances: http://www.dslreports.com/forum/remark,22219308

[GµårÐïåñ]

Just to add, when you sign up for Gmail, any variation of the full string you sign up for is reserved and no one can sign up for any variation of it. Here is an example, if say you want to register the account Tom.T@... the system automatically reserves TomT, .TomT, .Tom.T, TomT., Tom.T. and so on, you get the idea, this way someone cannot register TomT to try and shadow or hijack the original user's account. This is because the PERIOD is used as a visual credential and not an actual credential value, so in processing it is ignored and therefore any foundation match will be honored as described above, since it is reserved. However, if you have a user name TimT@ and someone accidentally types TomT@, it will forward to Tom.T@ account as it is a reserved value for that account, so that is not Gmail's issue, that's the senders lack of care to make sure its right. Anyway, just saying and thanks Tom for letting me use you in my example

[Tom T.]

thanks Tom for letting me use you in my example

No problem: I have the shortest nick here, so it's a convenient example.

@ therube: Interesting - thanks for pointing it out. For genuinely sensitive accounts (banks, etc.) I've always used random-string *usernames* as well as passwords. Sure, "Tom T." is a quick, easy login here (as is "therube" lol), but to MyBankOne, I'm user NYq%Vj@l@5/nCGi, and at MyBankTwo, I'm user dc(97gBJ_Uj'Fpmow+P. Not too likely that some other user's info is going to get sent to me, or vice versa, dots or no dots. Your post gave me another reason to be glad for that policy.

This information is personal opinion only, offered "as-is", comes with no warranty and conveys no rights.

[GµårÐïåñ]

Actually it was that I had just finished talking to you in PM and had your name on the brain, so figured what the heck I suppose I could have used Alan.Baxter as an example but you are right, the shorter initials was subconsciously preferred