You are viewing the PKP Support Forum | PKP Home Wiki

Do not email back passwords

OJS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a technical support question, try the OJS Technical Support subforum.

Do not email back passwords

Postby dpleibovitz » Wed May 12, 2010 7:32 am

I just registered as a new user for an OJS based journal
http://ejournals.library.ualberta.ca/in ... complicity
and received a confirmation email containing my password.

1) I do not think that passwords (unless temporary) should ever be emailed to anyone. They could be reset.
2) Ideally, they should not even be stored in the clear. They could stored after a one-way hash. This email is only about 1)

For 1), a simple desktop query on 'password' could reveal all in the clear passwords available, including those in emails. People often re-use passwords, and this makes it easy to find and use other people's account. It is much easier for developers of any system to simply never email passwords. Please update the software to at least not include the password in any confirmation (or other) emails.


PS. I have to manually edit the received email to delete that portion. Not all email clients allow one to do so.
Posts: 1
Joined: Wed May 12, 2010 7:20 am

Re: Do not email back passwords

Postby asmecher » Wed May 12, 2010 9:30 am

Hi dpleibovitz,

Passwords are stored using a one-way hash. By default, passwords are sent upon registration and a temporary password is sent upon password reset; if you wish to remove the password from registration emails, you can use the "Prepared Emails" tool to remove that variable.

Alec Smecher
Public Knowledge Project Team
Posts: 9922
Joined: Wed Aug 10, 2005 12:56 pm

Return to OJS Development

Who is online

Users browsing this forum: No registered users and 2 guests