So I have a friend with a Xanga blog, and it requires me to have a Xanga account to view it (I'm not sure if she is aware if she can change the setting so that anyone can see it...hmmm, maybe I'll let her know). So I make this account, and this pops in my e-mail:
Xanga recommends I keep my password in a safe, then sends my password to me by e-mail. Smooth.
Once your password is in the safe, just don't email yourself the combination.
That's quite standard practice actually.
That's a way of checking the email provided by new users is valid. The idea (I don't know xanga so maybe I'm wrong though) is that then you log in and immediately change your password (which is then not sent to you by email).
With the screenshot cropped, we can't tell for sure. Does it say "keep this info in a safe place" and then stop (WTF), or "log in and change your password and then keep the rest of this info in a safe place" (non-WTF)?
Is the password one that you wrote yourself or is it a randomly generated one?
Indeed. I've found a great many places send you an email with the
password you entered yourself on the signup web page. Which is
extremely inadvisable, especially given most people use the sdame
password for multiple locations (though that also is unadvisable)
IIRC I've even found one place which emails you the new password WHENEVER YOU CHANGE IT!
The password is chosen by the user, and they did not recommend changing the password.
It would have been hilarious if those guys had recommended putting the password in a safe.
Worst I've seen was a site that asked for a password (and again for confirmation) in a password field, so it was all good and hidden... Then on the next page, gives me a "Yay, it worked" page complete with the username and password in huge writing in plain text.
Lucky it wasn't me signing up, and also lucky for the person I was helping that I didn't care about their password.
I've had several of these, the best being of these two types:
a. You enter your intended password to their website over SSL and it sends you an email later informing you of the password you chose, and
b. You enter a password in an obfuscated password field only for it to be displayed back in clear text
The latter is stupid and probably an unintentional WTF (as in, they used a password field only because it was a password; not caring about the "security" it provided). The former is a huge hole that far too many websites leave open.
If you don't understand why this is a problem, post your email address here and I'll send you an email with the details.
Date: 7 Nov 2006 23:40:26 -0500 From: The Daily WTF - Automated Email <email@example.com> To: <firstname.lastname@example.org> Subject: (The Daily WTF) New Account Creation [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-1" character set. ] [ Some characters may be displayed incorrectly. ] magetoo, You have created a new account at The Daily WTF, and may login. Your username is: Username: magetoo Password: <the password i just typed in> To login, please visit: http://thedailywtf.com/login.aspx?ReturnUrl= After logging in you can change your password here: http://thedailywtf.com/user/ChangePassword.aspx Thanks, The Daily WTF team