password is sent to my email, i think this is a security issue to have a password sent upon registration
Username : cordoval
Pass : XXXX
Updated by Yannick Warnier over 7 years ago
There could be an option to disable it, but in general NOT sending the password results in complications for our users (which can be of very low level), given the only other possibility is to send them a link to connect directly. Such a link is not more secure than the password, as it also allows a potential cracker to connect directly to your account.
In fact, upon registration for most web applications today, you get the same kind of e-mail reminding you of your password, unless they use the connection link mentioned above.
To me, this is not really a security flaw although, as I said, we can add an option for that in the run to v1.10.
I'll leave it opened and see what the popular opinion is on this. If many people agree with you, we'll include it in 1.10, otherwise I'll reject it (no offense).
Updated by Eric Petitdemange over 7 years ago
Sending a password is not a big security issue for several reasons:
- If you want to avoid this you then can use SSO feature, through a LDAP.
- The password can (may) be changed by the user and it is possible to Hash it (MD5/SHA1)
- The platform sends the user's credential to a specific user unless you are using a generic email such as email@example.com
- The platform can track the connection IP address, and administrator can then decide with the users a password to use
- The courses may not be confidential otherwise you disable mail feature.
I don't go further more but I could be more productive in terms of security issues :)