Do not send Login & Password in confirmation e-mail

  12 years ago

From a security stand point, it seems really ill-advised for the confirmation / activation e-mail for the Linux Mint Community site to be sent listing, in plain text, our user ID and password. Given that e-mails are not a particularly secure form of communication, and coupled with the fact that many people, no matter how ill-advised, repeat passwords from site to site, broadcasting that password in an e-mail seems like a pretty decent security concern.

Since the confirmation / activation e-mail should only be received by someone who has just signed up for an account, they should already know what user name and especially password they had signed up with, so telling them all the details again shouldn't be necessary.

Perhaps it would be better to use a reminder e-mail for the user name, and a password reset e-mail, but only give those as separate options and only upon the user's request.
Latest comments
clem 9 years ago


RayWoods 10 years ago

It is such a long time ago that I joined, I can't remember the email that was sent to me! Anyway, I'm going to mark this as Considered. I know there is no worry with the password storage on the site, (see Clems replies on idea

New > Considered

mudslinger 11 years ago

maybe implement a random password generator.

blueXrider 11 years ago

Good point. So important maybe some should send Clem an e-mail?

akash211 11 years ago


Argent 11 years ago

I fully agree. Just joined and was surprised to see it glaring at me.

DynamicMan 11 years ago

This really should be changed asap. It seems like such a basic security feature that the current way of handling it is actually a bit embarrasing to mint, imho.

passstab 11 years ago

when users make an account they should get a one time option to allow emailing of info to themselves

Laan 12 years ago


oco13 12 years ago

I totally agree. +1!

heltonbiker 12 years ago

"totally" +1!