RE: Password in the Activations Email

["Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>]

> Is this necessarily worthy of a post to FD?

shit i managed to screw over nicely, now it will start another flame war. i did not want to send it to FD if ever i 
wanted to send it i would have sent it to security-basics!
 
> I have never used that site, but I would only consider it evil if:
>
>       1) I gave it a password at signup
>       and
>       2) It emailed that password back to me

This is what exactly happened i was asked a passwd at signup and the site mailed the passwd back with all the other 
detailed info that was entered for signing up the account 

> If one of those is the case, then it's terrible, but I still don't
> believe it's worthy of a CC to full-disclosure.

me too some how i think that the fd posing address was in clipboard and because of unsing all the keyb shortcuts the 
mail was send in a jiffy! sorry
 
> However I think if it sends a temporary password out, and it asks you to
> change it, then that is fine in my books; it's akin to sending out an
> activation "code" that one must enter to activate an account.


no they do not out a temp passwd only a activation url and when activated they send you a email with all the details 
and passwdord 

-sorry for wasting the lists time, this is really security-basics () securityfocus com stuff 
forget it, dont bother to reply to this post and kill off this thread 



-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html