Please Don’t Send Password In Registration Confirmation E-Mail

For everyone who is designing a website, please never never send a password in the registration confirmation email. I usually like keeping these confirmation emails to keep track of all the websites where I ever registered. However, when a website sends a confirmation email that contains the password along with the userid, I delete that email immediately. What is the need to send me my password in plain text? BTW, this just happened to me with ning.com.

In addition, learn about one-way encryption and never save the plain password. Password should never be “retrieved”. If the user loses his password, he should be able to reenter a new one. Just send a email with a long unique key that no one can guess and when accessed through such url, let the user enter a new password.

Advertisements

1 Comment

Filed under Security

One response to “Please Don’t Send Password In Registration Confirmation E-Mail

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s