Do not send new users their passwords in plain text

bene's Avatar

bene

Apr 03, 2018 @ 03:29 AM

So I got this email when I account on AppVeyor was created.


You've been added to AppVeyor "[companyName]" account with "Administrator" role.

Sign in to your account using this URL:
https://ci.appveyor.com/login
Email: [myEmail]
Password: [myPassword]
If you have any questions please contact your account administrator!

Best regards,
AppVeyor team


This is terribly bad practice to send a password via email in plain text, and even worse that it was sent in the same email as the username. Can the security practices be reviewed please.

-Ben

  1. Support Staff 1 Posted by Feodor Fitsner on Apr 03, 2018 @ 10:38 PM

    Feodor Fitsner's Avatar

    Hi Ben,

    Thanks for pointing that out!

    We'll replace that with "password reset" functionality.
    I've created a new issue: https://github.com/appveyor/ci/issues/2232

  2. 2 Posted by smith.colin00 on Apr 05, 2018 @ 04:16 AM

    smith.colin00's Avatar

    Are you storing passwords in plain text? WTF?

  3. Support Staff 3 Posted by Feodor Fitsner on Apr 05, 2018 @ 04:22 AM

    Feodor Fitsner's Avatar

    That email is being sent before the password hashed and hash stored in the database. Passwords are stored in the database in the form of salt+hash.

  4. 4 Posted by smith.colin00 on Apr 05, 2018 @ 04:29 AM

    smith.colin00's Avatar

    Thanks for the quick reply, Feodor. Can't be too careful nowadays, it seems :\

  5. Ilya Finkelshteyn closed this discussion on Aug 25, 2018 @ 02:27 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac