Loading Profile...
Password emailed in the clear?!? A bad sign...
Why do you send a confirmation email with my password completely in the clear? That's a bad sign for a service I would depend on to be secure and dependable for my clients. I suppose you'd send my clients their passwords in the clear like that?
I’m frustrated
2
people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
The best solution from the company
-
Hi Bob,
I do understand your concern over this and we thought long and hard about this decision. Basically it is a trade off between security and ease of use.
The problem is that clients have trouble remembering their passwords and we wanted to keep delays and admin down to a minimum.
In the end we decided that so little extremely sensitive information was held on the system that ease of use was more important.
The company says
this solves the problem
Create a customer community for your own organization
Plans starting at $19/month
-
Inappropriate?Hi Bob,
I do understand your concern over this and we thought long and hard about this decision. Basically it is a trade off between security and ease of use.
The problem is that clients have trouble remembering their passwords and we wanted to keep delays and admin down to a minimum.
In the end we decided that so little extremely sensitive information was held on the system that ease of use was more important.
The company says
this solves the problem
-
Inappropriate?Hi Bob,
Just to add to Paul's response, we don't store passwords in clear text in our database. The passwords for clients are randomly generated immediately before the email is sent, and then encrypted before storing in the database.
Dave -
Inappropriate?Well, I disagree that that's a good approach (and this says a LOT about your commitment to supporting the service if you're unwilling to even do a "forgot my password" service) but if that's the case, you need to TELL PEOPLE that you're going to do this BEFORE they create a password. If someone uses a common password for several services, then they would know to create a unique one just for this.
I’m frustrated
1 Comment Add a comment
This solves the problem
-
I have to second what Bob says. If all passwords were unique to GetSignOff, I wouldn't have a problem with this approach.
However, as Bob points out, I use the same password for GSO as I do for my email, my security is heavily compromised. -
Inappropriate?Hi Bob,
okay thanks for your feedback Bob. We will certainly take your comments on board and see what additional feedback we get from the rest of the community. If others agree with you we will certainly change things. -
This reply was removed on 02/16/09.
see the change log -
Inappropriate?Hi Neil,
thanks for your comment relating to this. We are certainly listening to the feedback on this subject.
One thing I would say, is that I would advise against using the same password across multiple sites. This leaves you very vulnerable. I tend to generate a password based on some aspect of the site like the URL. I then use a tool like 1password to manage these for me.2 Comments Add a comment
This solves the problem
-
Thanks for the advise, Paul. While I certainly agree with it (and do follow it to a certain extent), I don't really think that it's practical for the masses. A different password for every service is certainly not practical.
I was speaking for my clients than myself. -
Yeah, great advice, though pretty unrealistic. But it doesn't really apply here - the problem is that no warning was being given beforehand that it WOULD be sent in the clear. If people know that before creating a password they would be more likely to actually follow that advice.
-
Inappropriate?openid would go a long way
EMPLOYEE
EMPLOYEE
