Password sent in emails

  • HellO!


    Sending password in emails, not even encrypted is bad practice and common sense. Please fix this so a link is sent to the user instead and letting the user set this by himself. This will also allowing the user to setting the right password from the beginging and not being forced bad passwords.


    /regards

  • First that's more something for the bugtracker instead of forum. Second I think it'll not be done in 1.x.x. It you want, you're free to create a PR :)

  • Ok, ty for response, if this was intentional i don't see this as a bug :) . Well, can i ask if there is any advantage having the password set by administrators in the first place?. Mabey codewise this is a better solution but i really see this as a big issue, my clients getting nervous about this.

  • Also for feature requests :P It's planned to fix it in 1.3.x, because it should be easy to implement :)

  • Great!
    I was also wondering about this. It could be a security issue. Thanks for the reply Ninos! Appreciated :)

  • Hello ;


    Funny...


    You're talking about security issue here... Of course, sending a password in a welcome mail is not really safe due to a possible MITM attack but sending a link is not really better because this is open to the same attack...


    In the welcome mail we clearly ask the user to change it password the first time he connect to the panel...



    Whatever, we will fix that as you want by providing a link but this will not be more safe...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • This will at least force every customer to set a Password.

    Yeah, but all this is about customer's lazyness (or stupidity)... ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yeah, but all this is about customer's lazyness (or stupidity)...

    You're totally right, but we are talking about customers that usually aren't tech-savvy. People tend to make bad decisions, so software should become "Secure by Default" and force the user to do the right decision.

  • In my opinion the autogenerated password is mostly more secure, than the own chosen password. The only issue is, that attackers could get access to the panel, if they hacked the mail account of the customer. MITM attacks are possible with both methods, just by sending a link you can find it out, if the link is not available anymore (should just work once, until the customer changed the password).