Clear text password

**dmaftei** · 06-27-2007, 04:10 PM

I don't know how to put this mildly... Folks, you're sending confirmation emails for tickets THAT CONTAIN THE CLEAR TEXT PASSWORD!!! Here it is:

Your ticket has been received, one of the staff members will review it and reply accordingly. Listed below are details of this ticket, Please make sure the Ticket ID remains in the subject at all times.

Ticket ID: MNP-701683
Subject: Wrong link on Webalizer page
Department: Technical Support
Priority: Normal
Status: Awaiting Staff Response

You can check the status or reply to this ticket online at: https://www.whbsupport.com/index.php...icketid=120403
Email: dmaftei@comcast.net
Password: MY_CLEAR_TEXT_PASSWORD_WAS_HERE

1. Helpdesk Problems
https://www.whbsupport.com/index.php...&group=default

Please do let us know if we can assist you any further,

SupremeChaotic · 06-27-2007, 06:21 PM

Originally Posted by Matt R

We have to maintain the balance between those technically save who know their passwords, and those that do not remember their passwords. I'll look at the options though and see what we can do. I do appreciate that there is a small security risk attached.

With that said, we do ask for extra verification for major account changes.

http://www.whbstatus.com/showthread.php?p=787#post787

**Matt R.** · 06-27-2007, 06:32 PM

Ok, we'll disable it for a while and see if it poses a problem. I know a number of clients are concerned.

**dmaftei** · 06-29-2007, 12:01 PM

Originally Posted by Matt R

Ok, we'll disable it for a while and see if it poses a problem. I know a number of clients are concerned.

I appreciate the prompt answer, Matt. As far as "disabling it" goes, I hope it stays disabled. Keeping a balance is not reasonable, you should deal with those who forget their passwords on a case by case basis.

Which brings me to a different point. How do you guys store sensitive account data?! You sending me my password means that you either store it unencrypted, or store it encrypted with a reversible algorithm. I would suggest you change that to unreversible encryption...

Best
Dan M

**heron87** · 07-07-2007, 08:56 PM

well if you ahve submitted a ticket you will have knowen your passowrd soo its not really needed to ahve a clear password on your tickets

Saf M · 07-08-2007, 02:34 PM

This has been edited as per request.

JasonD · 07-18-2007, 08:56 AM

Add me to that list...

You should only send disposable passwords, ones that require you to change them, once you login.

No SSL and plain text passwords in WEB-MAILS which can be Cached and sniffed, is a bad thing. Especially when it says "Password: xxxxxxx". Easy for a net-bot to find.

Thread: Clear text password

LinkBack

Thread Tools

Display

Clear text password

Posting Permissions