My feedback

1 result found

1. Don't send passwords in plain text emails

   24 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   10 comments  ·  Wishlist » Security / Privacy  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   An error occurred while saving the comment
   Gary Thompson commented  ·  Jun 20, 2019  ·  Edit…  ·  Delete…

   I just joined an organisation using this platform and was horrified that a password was generated for me, and then sent to the email address I used to register with and a link directly to login. As far as minimum levels of security goes this is a spectacular fail.

   I then tried to change my password, and the UX around this is _horrible_; no indication of max/min length, no indication of chars allowed, and the failure message for a password which is too long is that the password is too short... This really does beg the question, how are passwords being stored, and why are char sets restricted. In my opinion, this is just horrific.

   1) Never set a user's password - they should be allowed to set their own
   2) Never restrict the length or allowable chars for a user password; there's simply no need
   3) Never, ever, ever, EVER, send a password in plain text to the email address registered; bonus negative points for providing the login link in the same email.

   The fact that this idea was proposed nearly 2 years ago and still hasn't been implemented is extremely worrying - this shouldn't be a 'nice to have' on a wishlist - this should be absolute minimum level of development with security in mind.

   Save Submitting...
   Gary Thompson supported this idea  ·  Jun 20, 2019