Password innaweb broadcast
2 posts
2 users
3k+ views
MichaelME
December 10, 2008
Member since 12/10/2008 🔗
32 posts
Just completed my registration and was stunned by the the email confirmation.

Your site was the first that ever returned a password:XXXXXXXX! Bots look for that stuff. Even on "secure sites" If I publish my email addr or tele, I try to make it so human eyes have to 'cipher.

But you seem to make it easy for prying machines. Please give me piece of mind. Also, reconsider your confirmation policy.

Never been compromised yet, fingers crossed.

Please let me know

Reconsidering,

Michael
Scott - DCSki Editor
December 10, 2008
Member since 10/10/1999 🔗
1,265 posts
The DCSki Forums are powered by UBB.threads, one of the most popular commercial message forum packages on the web, and this is a design feature of UBB.threads that is out of my control. However, UBB.threads will only send this information to the official e-mail address used by the account creator. (And I would always encourage people to never re-use a password across web sites!)

Every forum package I've encountered includes similar functionality, particularly in the case of forgotten passwords, where it e-mails the password (or an "activation" link, which is essentially the same thing, and would also allow someone to access your account if they were able to view your e-mail) to the e-mail address on record. I would prefer that UBB.threads not e-mail the plaintext password on account creation -- especially since someone might re-use the same password across multiple sites (even though they should never do that). I looked through the settings of UBB.threads and don't see an option to do this.

There is always a tradeoff between convenience and security, and you have to consider the "worst case" scenario. In the case of the DCSki Forums, if someone were able to access your private e-mail, they could potentially login as you and post a message under your alias -- but that's it. They shouldn't be able to access any private data (because that type of data doesn't exist on DCSki), and if this ever happened, I would encourage someone to contact me right away to initiate an investigation.

I did just modify the registration message to notify people that the password they use will be e-mailed to them as part of the registration confirmation, so they know not to recycle a password used on other sites, and won't be surprised by this. You could also share your concern with the company that makes UBB.threads (www.ubbcentral.com). But again, this seems to be common with message forum software. It's certainly not behavior I would expect from an on-line banking site.

Ski and Tell

Speak truth to powder.

Join the conversation by logging in.

Don't have an account? Create one here.

0.16 seconds