Do not send new users their passwords in plain text
So I got this email when I account on AppVeyor was created.
You've been added to AppVeyor "[companyName]" account with "Administrator" role.
Sign in to your account using this URL:
https://ci.appveyor.com/login
Email: [myEmail]
Password: [myPassword]
If you have any questions please contact your account administrator!
Best regards,
AppVeyor team
This is terribly bad practice to send a password via email in plain text, and even worse that it was sent in the same email as the username. Can the security practices be reviewed please.
-Ben
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on Apr 03, 2018 @ 10:38 PM
Hi Ben,
Thanks for pointing that out!
We'll replace that with "password reset" functionality.
I've created a new issue: https://github.com/appveyor/ci/issues/2232
2 Posted by smith.colin00 on Apr 05, 2018 @ 04:16 AM
Are you storing passwords in plain text? WTF?
Support Staff 3 Posted by Feodor Fitsner on Apr 05, 2018 @ 04:22 AM
That email is being sent before the password hashed and hash stored in the database. Passwords are stored in the database in the form of salt+hash.
4 Posted by smith.colin00 on Apr 05, 2018 @ 04:29 AM
Thanks for the quick reply, Feodor. Can't be too careful nowadays, it seems :\
Ilya Finkelshteyn closed this discussion on Aug 25, 2018 @ 02:27 AM.