Jump to content


information

Plain Text Password In Welcome E-Mail?

security passwords

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 ochado

ochado

    Member

  • Members
  • Others: BackupBuddy
  • PipPip
  • 19 posts

Posted 31 January 2014 - 10:10 AM

I signed up for iThemes last week, and only now did I read the welcome e-mail in some detail. I was surprised and disappointed to find that you e-mailed me my password in plain text.

iThemes welcome.PNG

It is a basic password security issue that account passwords should be encrypted, hashed and salted so that not even the iThemes support staff need to see our passwords. Sending passwords in plain text in e-mail is quite irresponsible.

For websites that maintain plain text passwords, I usually don't bother to even complain; I just change to a low security password that I don't care about. However, I sincerely hope to have a long relationship with iThemes, so I really do care enough to complain about this.

Could you please change your password policy so that user passwords remain invisible and unknown even to support staff?

Regards,
Chitu

#2 Chris Jean

Chris Jean

    Code Monkey

  • Administrators
  • 3,340 posts

Posted 03 February 2014 - 01:21 PM

Hi Chitu.

The email being sent out with the input password is part of the old system that we built our membership system out of. Over the years, we've removed piece after piece of that old system, but some of it still remains. That email is one of the remnants.

I mentioned this to our internal developer to see about getting a roadmap together for replacing the remaining bits with something improved in both the sense of security and features. As some of this is baked deep into the code of that system, it will likely take some time to develop a new solution.

Thanks for reminding us of it as those of us in the office rarely see some of those messages.