[Code] Putting a users list password in the email subscription email
Kurt Seifried
kurt at seifried.org
Fri Nov 25 20:42:16 UTC 2011
Part of the concern is password disclosure due to the fact that people
re-use passwords (I know and you know people shouldn't re-use
passwords but the fact is they do, and we should protect them and
other sites where possible).
If you have my email you can of course reset most of my passwords, but
you certainly shouldn't be able to view my existing passwords!
-Kurt
On Fri, Nov 25, 2011 at 10:32 AM, Andrew Arnott <andrewarnott at gmail.com> wrote:
> FWIW, anyone who has access to that person's email already owns that user
> anyway.
>
> But for the record, I'm also against this practice.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Fri, Nov 25, 2011 at 7:45 AM, Robert Ameeti <robert at ameeti.net> wrote:
>>
>> What a horrendously terrible thing to do!!!
>>
>> It is wrong, wrong, wrong put the users list password in the confirmation
>> email in clear text. It is wrong to be storing the user's password in
>> anything other than a hashed value. IF that user is using the same password
>> on other lists, that email can be found by anyone who has access to that
>> user's email which might be a thief. Please consider changing this procedure
>> asap.
>>
>> _______________________________________________
>> Code mailing list
>> Code at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-code
>
>
> _______________________________________________
> Code mailing list
> Code at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-code
>
>
--
Kurt Seifried
kurt at seifried.org
More information about the Code
mailing list