Your new password is...



  • This email went out do a large number of users informing them of the relaunch of a site..  (anonymized to protect the guitly of course)

     

    Great news.  <site name> is live, and we’re sending this email to tell you what’s good:

    Getting Started
    <snip>
     The only thing that changed is your password.  When you go to the site, click SIGN IN at the very top of the page.  The system will ask you for the email address you used when you signed up.  It should be the same one you’re using right now.
    Your temporary password is...  <site name>. 
    Once you sign in, you can click EDIT PROFILE to change your password and add more information to your profile. 

     

     

    Thats right, they gave every user the same password and emailed to everyone. Then they wonder why their users are complaining that their accounts are hijacked...

     

     

     



  • Did they To/CC said email addresses? Is it too much to ask that they used BCC like a proper email like this should?



  • Should really be individually emailled out per user, with a different randomly generated password for each user! 



  • At the very least, they should force people to change the password as soon as they log in. I guarantee that 95% of people wouldn't change from the default unless forced.



  • @rbowes said:

    I guarantee that 95% of people wouldn't change from the default unless forced.

     

    Sounds like my job right there.  We were using the same password for all of our subversion accounts by default, and we tell new users to change them when their account was created (we use svnserve, not apache - otherwise LDAP would be used and we wouldn't have this issue).  So now we have 70 people with the same password.  I've changed my ways now to just create a random password for them to at least give the hint of security.  It's an intranet-only server, so it's not the end of the world if it's not quite secure, but a hole I'm hoping to plug. <rant> Maybe when svn 1.5 finally comes out </rant>



  • @Zemm said:

    Should really be individually emailled out per user, with a different randomly generated password for each user! 

    Or at least a password that LOOKS randomly generated


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.