addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1linklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Re: [ia-55] Enter & Re-enter Password when sign up

From: user 6.
Sent on: Tuesday, March 27, 2012 3:33 PM
The registered user has the option to add an email to their account in case they need to recover a password. Iike that it's an option and not mandatory. 

-Pat Lang
http://itun.es/iPP9qg

On Tue, Mar 27, 2012 at 12:56 PM, Yingying <[address removed]> wrote:
Hey Pat, I haven't used Reddit.com, so its good to know. But what can you do if you forget password but want to see previous info? If there is no email address, you will not be able to get your password back
Yingying Zhang - http://yingyingz.com

From: Pat Lang <[address removed]>
Sender: [address removed]
Date: Tue, 27 Mar[masked]:44:22 -0400
To: <[address removed]>
ReplyTo: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up

It depends on your site goals and objective on which method is chosen, so neither one is "better".  

I like how Reddit.com does it... Username + 2 password fields, no email required!! No email is key, this encourages users to sign up with multiple accounts and post/comment more freely. For example you can have an account called Mr. Negative. and reply negatively to every post. This, plus the gameification aspects, encourages account creating and contributions. The site traffic reflects this. 

-Pat Lang




On Tue, Mar 27, 2012 at 12:06 PM, Timothy Strimple <[address removed]> wrote:
Yes. It is still wrong. the vast majority of those millions of users dont know anything about security and they are blindly trusting WordPress to be competent in that area.

Having a compromised email was just one of a handful of ways that sending passwords via email is a problem. The others should not be ignored for the sake of convenience.

Tim.

Sent from my Windows Phone

From: noel saw
Sent: 3/27/2012 9:49 AM
To: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up


Timothy, another perspective is that if they've been doing it this way for many years and the core audience of millions of users aren't demanding a "fix" for this method, does it make it "wrong" then?

I agree that sending passwords via email is inherently insecure but what are the alternatives other than forcing users to change their passwords immediately upon initial login? We know most users are going to have their own set of favorite passwords and most people are not going to create strong passwords.

My take is that if someone's email system is compromised, you're pretty much jacked by that point because they can go and perform a password recovery operations at those other sites regardless of whether or not they received a "welcome email" with the password.

On Mon, Mar 26, 2012 at 10:49 PM, Timothy Strimple <[address removed]> wrote:
Just because they are doing it for a long time, doesn't mean that it is right. This is not an opinion to agree or disagree with. It is a fact that it is far less secure to send a user their password in their email.


Some highlights from the link:
  • The email could be intercepted giving someone else the password.
  • Someone could see them open the email on their screen (been at mates houses and had this happen to both of us so many times, and every time is a massive headache to go change all your passwords).
  • The email might be forwarded to other addresses which are not secure.
  • The email might bounce/encounter a server error and then you (perhaps your untrusted staff or outsourced helpdesk too?), and the email server's system admin will probably get copies of the original email.
  • Someone who obtains access to the user's emails through a cookie hijack or even just a briefly unattended open email account will now be able to see their password. Worse, their password is probably used elsewhere (or at least has a common stem, e.g. "password1", "password1$$" "passwordSuperSecure123") so you've now compromised more than just your own service. Worse still, it might be the password to the email account that's been hijacked and now they can steal this person's email account and thus identity for a much longer time than the expiry date on the cookie/session. (This has all happened to people I know).

  • The fact that they are able to send you an email with the password is also a strong indicator that they are not storing passwords correctly. Passwords should be salted and hashed when stored in the database and it should be impossible for you to determine the original password from the values in the database. 

    Tim.

    On Mon, Mar 26, 2012 at 10:27 PM, noel saw <[address removed]> wrote:
    Tim, I respectfully disagree but WordPress, one of the world's most popular CMS has been sending user password for new account notifications via emails for many, many years.


    On Mon, Mar 26, 2012 at 10:15 PM, Timothy Strimple <[address removed]> wrote:
    Please, never send the user the password they entered in an email. It's acceptable to send a temporary password via email as long as the user is required to change it on their next login.

    Some sites I have used are asking for just an email to create an account, and there is a link that gets emailed to you to finish creating your profile. This lets you confirm the users email before the account is created, which means you have a reliable way of resetting a password if the user mistypes it. Thus it would be okay to just ask for a single password and skip the confirmation since there is a means to recover.

    Tim.


    On Mon, Mar 26, 2012 at 10:02 PM, noel saw <[address removed]> wrote:
    I think it's an effort towards streamlining the account creation process. Some might call it part of "on-boarding" users as much as possible. 

    A lot of sites now send "welcome" emails with the user's credentials including passwords as a reminder in case they mis-typed the password originally.

    For my own projects, I am employing the single password field.

    On Mon, Mar 26, 2012 at 9:40 PM, Yingying <[address removed]> wrote:
    Christine, thanks! My company uses password/confirm too. Actually, this Readability website is the first one I've noticed using a single field. So I am wondering what reason makes them eliminated the other one:)

    On Mon, Mar 26, 2012 at 9:28 PM, Christine Tran <[address removed]> wrote:
    Hi Yingying,

    My company does request a password/confirm password upon signup as part of the Drupal module we use. Though our developers have said we can automate the second password field on the back end (only requiring the user to type a password once), but as you mentioned, I believe doing it twice avoids user typos that could cause later logins to be frustrating.


    ....................................................................................
    CHRISTINE E. TRAN · (773)[masked] · @tranxtine



    On Mon, Mar 26, 2012 at 9:17 PM, Yingying <[address removed]> wrote:
    Hi Guys,

    I noticed a website called Readability asks users to enter password only once (try here: https://www.readability.com/readers/register). Most of websites we are using now ask us to type twice. How do you think about this? Is it easier for users?

    I am curious about why people initially designed website with enter & re-enter password. Is it because of security, or just avoiding typos by users? I am sure a lot of people would type wrong password for the first time, I did this a few times.

    What do you think?


    Yingying

    --
    Yingying Zhang




    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Yingying ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Yingying, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Christine Tran ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Christine Tran, visit his/her member profile

    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]



    --
    Yingying Zhang




    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Yingying ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Yingying, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by noel saw ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about noel saw, visit his/her member profile

    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Timothy Strimple ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Timothy Strimple, visit his/her member profile

    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by noel saw ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about noel saw, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Timothy Strimple ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Timothy Strimple, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]





    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by noel saw ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about noel saw, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]




    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Timothy Strimple ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Timothy Strimple, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]



    --
    --
    Pat Lang
    Mobile User Experience Creative Director
    www.krop.com/patlang

    Skype: patlangmedia
    Mobile: [masked]

    Sent from gmail






    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Pat Lang ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Pat Lang, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]




    --
    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Yingying ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Yingying, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]



    --
    --
    Pat Lang
    Mobile User Experience Creative Director
    www.krop.com/patlang

    Skype: patlangmedia
    Mobile:[masked]

    Sent from gmail


    Our Sponsors

    Sign up

    Meetup members, Log in

    By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy