One of my pet peeves with regards to web registration is sites that email you an unencrypted version of your custom password. It seems like a needless security lapse. Lots of people use the same username/password combo for many websites. When registering on this website you email out an activation request with the username and password. It really would be better if you mailed out an auto-generated password and forced the user to change it after they register or better yet don't send the password at all.
Well, if we're talking about security here... first of all, using the same password for multiple sites is bad, bad, BAD! Because you use your e-mail as a login on many sites, less serious ones may record the e-mail and password, then try it on various sites until it gets a hit, you lose your accounts. Second of all, as a forum administrator in a small community, I can tell you that the auto-generated messages tend to use the tags {username} and {password} in order to input the info without other people noticing it. At the same time, if you lose your e-mail account then you'll most likely lose the accounts tied to it, due to the common practice of e-mail based password resets. As such, sending the password by e-mail isn't really something that's high on the Stuff-to-worry-about-if-the-e-mail-gets-hijacked-list. As for the risk of people reading over your shoulder, why would you let anyone do that? Also, if you're worrying about Van Eck Phreaking as a way to get your password from unencrypted e-mail, you're probably paranoid enough to wear a tin-foil hat. The largest concern to your password will either be: 1. Phishing sites. 2. Keyloggers. 3. Your brother using APR on your connection. Assuming you're careful, the first two are easily avoidable, the third one isn't. But anyway, relax, it's no real biggie. :ugeek:
Oh I agree it is bad, but then again creating a unique username and password for any one of the hundreds of different sites that require registration isn't any more secure as unless you have a photographic memory your going to have to write them down somewhere or have too simple passwords. Personally I have 4-5 usernames and 6-10 current passwords and they get used based on context and the level of security required. Any gaming/ free registration site where no money will change hands is pretty far down on my personal security list. Part of the annoyance is the fact that I know Uber is storing my password. The correct way of doing it the website owner should never store your password. Ask Steam/Bank of America for your password and can't give it to you, its not that they won't its that they can't. The server should be storing the hash key that the user's password generates. This way any security compromise at Uber doesn't end up giving out the passwords to individual users. "As such, sending the password by e-mail isn't really something that's high on the Stuff-to-worry-about-if-the-e-mail-gets-hijacked-list." I'm not real worried just as I said annoyed/pet peeve. Certainly I'm not worried about your Van Eck Phreaking, a more likely hacking method would be getting at the email as it just travels back and forth accross different servers. It goes unencrypted from Uber through 10 different machines before hitting the server where my mail is stored, then from there (as I registered with a free webmail account) it goes over a half dozen different devices unencrypted where I can read it. But even then the most likely way to 'hack' there would just be some disgruntled Uberent co-op taking your username/password from the server as it is clearly stored their unlike how most sites do it. It is a non-issue for me as the worst that could happen is someone figures out how to gain access to some free Newspaper accounts and a few online forums. However I can almost guaranty that someone on this forum uses the same username/password to access their bank as this website.
maybe they should just warn you not to make a pass thats the same as other accts. and beyond that, you only need 2 passwords to avoid anyone getting into your bank acct. the first password for your bank acct, money related things, email, personal info, identity things, ect... and the other for forums, free stuff, facebook, and stuff thats not so important. use the not so important password on this site, use the important passwords for important sites that encrypt.
