Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not to nitpick but being emailed a temporary password in cleartext doesn't seem like an issue to me, assuming you're required to change it as soon as you log in.


The fun one for me is when they email you your original password in email. I’ve had that happen twice, and was always an amazing wtf moment.


Especially since that email address presumably is used for the forgot password authentication anyway.

But it is at least the equivalent of a code smell. perhaps a "UX smell"?

A couple of obvious ways it can go bad: An attacker could potentially have access your email (perhaps from a data breach elsewhere or a password stuffing attach) and use the temp password before you do. If the temp password is the one entered by the user during signup, a naive user could sign up using their commonly-reused-password which then sits in cleartext foreven in their email archive.


The way I read it, the password might not have been different for each new user...

But that's negated completely by the next part about there being a sign up without any email verification




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: