Project

General

Profile

Bug #6716

password is sent to my email, i think this is a security issue to have a password sent upon registration

Added by Luis Cordova over 7 years ago. Updated over 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
23/09/2013
Due date:
% Done:

0%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

Username : cordoval
Pass : XXXX

History

#1

Updated by Yannick Warnier over 7 years ago

Hi Luis,

There could be an option to disable it, but in general NOT sending the password results in complications for our users (which can be of very low level), given the only other possibility is to send them a link to connect directly. Such a link is not more secure than the password, as it also allows a potential cracker to connect directly to your account.

In fact, upon registration for most web applications today, you get the same kind of e-mail reminding you of your password, unless they use the connection link mentioned above.

To me, this is not really a security flaw although, as I said, we can add an option for that in the run to v1.10.

I'll leave it opened and see what the popular opinion is on this. If many people agree with you, we'll include it in 1.10, otherwise I'll reject it (no offense).

#2

Updated by Eric Petitdemange over 7 years ago

Hi guys,

Sending a password is not a big security issue for several reasons:
- If you want to avoid this you then can use SSO feature, through a LDAP.
- The password can (may) be changed by the user and it is possible to Hash it (MD5/SHA1)
- The platform sends the user's credential to a specific user unless you are using a generic email such as
- The platform can track the connection IP address, and administrator can then decide with the users a password to use
- The courses may not be confidential otherwise you disable mail feature.

I don't go further more but I could be more productive in terms of security issues :)

#3

Updated by Yannick Warnier about 7 years ago

I think the shortest solution could just be to add a text below the password field saying "This password will be sent to you by e-mail when your account is created".

#4

Updated by Yannick Warnier over 6 years ago

  • Target version set to 2.0

Also available in: Atom PDF