Jump to content


Welcome to the forum:

Welcome to the iThemes, PluginBuddy and WebDesign.com forum. We've created several tutorial video's to help you get you started with using the forum, please check them out!

Also take note of the forum guidelines.


Support hours:

Our moderators actively respond to forum support requests during normal business hours which are Monday-Friday, 8am - 5pm Central Standard Time, typically within one business day. Although some moderators choose to work during the weekends, we can not guarantee immediate attention to your requests. Thanks for understanding.

What is included with support:

Premium support includes theme/plugin issues such as: bugs encountered under normal operation, how to use basic features, basic WordPress help, and basic help with customization (meaning we point you to resources and will help in more depth as time allows). More information.

information

Plain Text Password In Welcome E-Mail?

security passwords

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 ochado

ochado

    Member

  • Members
  • Others: BackupBuddy
  • PipPip
  • 19 posts

Posted 31 January 2014 - 10:10 AM

I signed up for iThemes last week, and only now did I read the welcome e-mail in some detail. I was surprised and disappointed to find that you e-mailed me my password in plain text.

iThemes welcome.PNG

It is a basic password security issue that account passwords should be encrypted, hashed and salted so that not even the iThemes support staff need to see our passwords. Sending passwords in plain text in e-mail is quite irresponsible.

For websites that maintain plain text passwords, I usually don't bother to even complain; I just change to a low security password that I don't care about. However, I sincerely hope to have a long relationship with iThemes, so I really do care enough to complain about this.

Could you please change your password policy so that user passwords remain invisible and unknown even to support staff?

Regards,
Chitu

#2 Chris Jean

Chris Jean

    Code Monkey

  • Administrators
  • 3,347 posts

Posted 03 February 2014 - 01:21 PM

Hi Chitu.

The email being sent out with the input password is part of the old system that we built our membership system out of. Over the years, we've removed piece after piece of that old system, but some of it still remains. That email is one of the remnants.

I mentioned this to our internal developer to see about getting a roadmap together for replacing the remaining bits with something improved in both the sense of security and features. As some of this is baked deep into the code of that system, it will likely take some time to develop a new solution.

Thanks for reminding us of it as those of us in the office rarely see some of those messages.