Transmitting Account Information via Email

Hello,

Not sure if this is the right place to put this, but I hope so, because I really am looking for some clarification on this issue. Lots of questions... here goes... I am curious about what practices would be considered acceptable or unacceptable related to transmitting account information to user's email addresses.

Is it inappropriate to email a customer their password to their registered email address in an unencrypted format?

What is the real potential for someone to intercept an email containing relatively sensitive information like this?

Is there really any totally secure way to handle such a situation where a user forgets their password?

If anyone has some web sites that offer best practices related to this kind of thing, please post them.

Thanks!

Hey Hey,

It's definately not 100% secure to send the username and password through email, it's not really secure at all simply because it is plain text.... (unless they're running some sort of encryption... but how many users that lose their password use encryption... or know what it is)...

I can tell you how we handle passwords at our service desk...

There's an online forgot your password mechanism... students must know their student number and either their Password for our other site, their SIN (Social Insurance Number), or their date of birth (depending on the courses enrolled in) to obtain their password.. Then it's displayed on screen... (all done over HTTPS).. Our other site, takes your last name and either your Student Number or SIN and emails a new temp password to your college email account. So you always need one account details to get the other... If you lose both.. we come into play.. You call us and give us your student number... we verify your identity with two pieces of information (postal code, middle name, email address on record).. and give it to you... In person you can walk in with your student card... or student number and photo id and we'll give it to you... and by email you can email us the required information and you'll also recieve the information you require.... We try to verify... even if it isn't the best method... before we hand out the persons information....

Is what we do secure? Not entirely... but for the most part it keeps the users information fairly safe.

Peace,
HT

When I was subbing for M$, number one rule was NEVER EVER email a customers password to them. Get on the phone, call and verify the customers ID and then give it to them. No exceptions.

The most common way you will see today in terms of automated system will do the following:
- User visits a special "I forgot my password" page and enters their account name (and/or email address).
- They are then forwarded to another page that asks two challenge questions. These are entered by the user at registration time.
- If they complete the challenge questions, the password is set to something new and random. This new password is temporarily stored in a special table in the site's database, associated with a particular randomly-generated key code.
- The user is emailed a secure link (HTTPS) that references the key code and displays the person their randomly generated password. They can then use this password to log in and then immediately change it.
- Upon first login with this new temporary password, it deletes the entry in the temporary key-code table.

This is a decently secure way of doing it that is automated. In some ways, it may be more secure than speaking with someone on the phone.

Passwords are like credit card #'s. They should never be sent to the customers or displayed on a web page. It is simpler to have the user pass the authentication questions and then simply set the password to a new value themselves. If they cannot remember the answers to their own challenge questions then they should be sent to someone in customer service that can authenticate them over the phone and aid the user in re-setting their password.

Just wanted to thank everyone for their feedback. Very helpful and much appreciated! :)

v