Is it a horrible idea to email users their password on sign up – before it’s hashed by the server side code and stored into the DB?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it a horrible idea to email users their password on sign up – before it’s hashed by the server side code and stored into the DB?
If it’s user-entered, yes, it’s a bad idea. E-mail is unencrypted and can be intercepted in transit between your mail server and theirs, as well as potentially being readable by folks with access to the two servers.
If it’s a one-time temporary password, the risk is smaller, as they should change it shortly afterwards.