Mistake in activation mail + No password encryption?

Hello, I found a pretty funny mistake in the welcome letter.

It says “Welcome to Welcome to the Comodo Forum”

How come the password is shown in clear text, by the way? Don’t you think those should be encrypted, especially on a security forum…?

[attachment deleted by admin]

Hi Darkwing, welcome to the forums.

It’s shown in clear text because it is a one-off password. On your initial login you’ll be forced to either change your password or subsequently request another one-off password be sent.

Are you sure? Because I’ve logged in 2-3 times so far, and I haven’t been asked to enter a new one.

When i got the activation e-mail (Subject: Welcome to Welcome to the Comodo Forum - a bit of redundancy never harmed anyone, eh? :P) for the forum I was in for a nasty surprise:

In the unencrypted e-mail my password was sent in plain text. ???

My reply to this:

Are you serious??? You are sending a password in an unencrypted e-mail?

I’d have expected MUCH more of a company in the security business. Actually this makes me consider uninstalling Comodo Products as this should not be expected from a company that is trustworthy.

Awaiting an explanation.

After checking the forum for other reports on this issue I found the following thread:

It was answered but after the user proving the moderator wrong (and I can confirm the same - no password change was forced) no additional answer came forth…

Disappointing, very disappointing! :frowning:

Hi usr17, welcome to the forums.

It’s a normal, and safe, activation method for a SMF forum. The password is a one-off directly tied to your session id I believe. It’s useless to anybody else… unless they have access to your email account as well.

Thanks for the welcome! :slight_smile:

May I correct you:

  • Maybe it is a normal activation method although I doubt it. It is, for sure, not a safe one!
    I know enough about forum administration to know that it is not a necessity to send a Password via e-mail. It should simply not be done. It is very bad practice.

  • You believe wrong: It is not tied to my session.

  • “Useless to anybody else unless they’ve got access to my e-mail account.”? Wrong.
    Would you send a postcard with a password written on it via snail mail? I’d guess you would not. While the password would be “safe” after arriving in my postbox (unless someone else has got the key for it naturally or someone simply breaks into it by brute force) it is available to anybody that has got access to the postcard on the way. A plain-text e-mail is no different.

Suggested reading (just a few articles I dug up within seconds):

Merged the two topics.

And so falls the sound of silence once again. Will we ever get an actual explanation for this, instead of misinformation?

Nice. You know this is a SMF (Simple Machines Forum) issue/process right?

It looks like what you are asking is not a default option of the SMF forum software, unless a mod was made, when reading Encrypt Forum Email at the SMF forums.

I think the answer to your question lies mainly there.

What I would ask for is that a password is simply not sent via e-mail. It is absolutely not necessary and this would solve the issue in a very simple way.

I fail to understand why the forums security is compromised by sending a password via e-mail. The forum itself is accessible via a secure connection, yet a weak link like this is not removed.
Seriously: to implement something that does not do something doesn’t even require any skills. :wink:

I suspect it is because you do not fully understand what you’re asking for (or even why based on the URLs you have posted) given that this forum is an SMF forum and not something that Comodo have written themselves.