Full Version: Username & Password in Validation Email
I have started up a new forum using Invision Power Board. I am very disappointed to learn that new members are not sent details of their username and password upon registering. We all know that some people register with a forum and then don't return for a visit until some time later and by the time they come back they can't remember their username and password. For example, I registered with this IPB forum some time back and today couldn't remember my username and password details (and I knew I was never sent an email with these) so I had to register again. Even people who visit a forum often may forget their username and password details - especially nowadays when we have passwords for a billion different things. To me it would make so much more sense to include the new member's username and password in the validation email - that way the member has a permanent record of their registration details. I don't understand why this is not done already with IPB??? Am I missing something?? phpBB forums send the new member a validation email with the username and password included and it is a huge help.
A person's username is included in the email.
The password is hashed before the email is sent, and there is no way for IPB to retrieve it once it has been hashed. The password could in theory be included with this email, but I could see this as being a potential security risk myself...packet sniffers, or if an email bounces and is logged in the ACP, etc. Besides, the "Lost Password" tool is available to users to reset their passwords already..
QUOTE
<#NAME#>,
This email has been sent from <#BOARD_ADDRESS#>.
You have received this email because this email address
was used during registration for our forums.
......
This email has been sent from <#BOARD_ADDRESS#>.
You have received this email because this email address
was used during registration for our forums.
......
The password is hashed before the email is sent, and there is no way for IPB to retrieve it once it has been hashed. The password could in theory be included with this email, but I could see this as being a potential security risk myself...packet sniffers, or if an email bounces and is logged in the ACP, etc. Besides, the "Lost Password" tool is available to users to reset their passwords already..
QUOTE(Murray @ May 14 2006, 09:39 AM) 
...phpBB forums send the new member a validation email with the username and password included and it is a huge help.
Yes, crackers with eavsdropping capabilies especially find this to be a huge help.
Liability-wise, I'm quite happy that there's no way for me to learn a user's password.
Ok, thanks guys for responding!
I understand - I gathered there must have been some logic behind the idea to not include the password in the validation email sent to new users.
Murray
I understand - I gathered there must have been some logic behind the idea to not include the password in the validation email sent to new users.
Murray
Maybe a "Forgot your password? Click Here" would be useful. So if they forget what their password was and still have the email, they could click the link and it would take them to the "forgot your password" screen and enter their username in the box automatically.
Something like, http://www.board.com/index.php?act=Reg&COD...&member_name=Cy , but allow $_GET in that box (since the security code thing is there already). Then just put the link in the email.
Could even put "Forgot your password ALREADY? Click Here..." as the link
Something like, http://www.board.com/index.php?act=Reg&COD...&member_name=Cy , but allow $_GET in that box (since the security code thing is there already). Then just put the link in the email.
Could even put "Forgot your password ALREADY? Click Here..." as the link
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.