Passwords are sent plaintext per eMail after change

lindas-uc / lindas-issues

Share our issues and questions about http://lindas-data.ch/

0 stars 0 forks source link

Passwords are sent plaintext per eMail after change #11

Open l00mi opened 8 years ago

l00mi commented 8 years ago

Please never sent any passwords by email. This is simply bad practice.

This further triggers the question if the passwords are saved in plain text somewhere?

retog commented 8 years ago

lindas-data.ch uses unencrypted HTTP and login works by sending username and password in clear in the message payload, so passwords stored in clear seems to be the least of the problems ;)

martin-voigt commented 8 years ago

The problem is that SECO still did not achieve to sell a certificate... I will get back to them.

retog commented 8 years ago

Thanks @martin-voigt, however when I wrote my comment I wasn't quite aware that the problem isn't mainly the unencrypted nature but that the original password is sent to the email address (rather than a fresh password or better a reset link). Depending on the mood of the day I set the password and the situation in which I need to recover it, this could be quite embarrassing.