Lost password email should not have real password in email

jrp2

Overall I am super-pleased with Kayako, but this policy of sending the actual password in the lost password email is generally considered bad form. Many people use the same password for many applications, and this ends up sending that password in a clear text email.

Most "lost password" schemes involve setting a randomly generated password and mailing that to the customer. They can then log back in and change their password to whatever they want. Some go further by sending a one-time token. That is probably best, but perhaps overkill.

It would seem relatively trivial to do. The code to set random passwords already exists. It would just involve invoking that code before sending the lost password email.

Just my thoughts. Keep up the good work, Kayako is a really nice application!

JP

PS. Yes, of course I have disabled sending the password in ticket emails! I am glad that was configurable!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Sending users password in reply email	Xoopiter-Craig	SupportSuite, eSupport and LiveResponse	6	24-01-2007 02:36 PM
email rejected, get lost?	HollyRidge	SupportSuite, eSupport and LiveResponse	2	19-10-2006 02:41 PM
Disable Lost Password	karmedic	SupportSuite, eSupport and LiveResponse	4	10-04-2006 06:40 PM