You are viewing the PKP Support Forum | PKP Home Wiki

Criticism of emailing the username/password

Are you an Editor, Author, or Journal Manager in need of help? Want to talk to us about workflow issues? This is your forum.

Moderators: jmacgreg, michael, vgabler, John

Forum rules
This forum is meant for general questions about the usability of OJS from an everyday user's perspective: journal managers, authors, and editors are welcome to post questions here, as are librarians and other support staff. We welcome general questions about the role of OJS and how the workflow works, as well as specific function- or user-related questions.

What to do if you have general, workflow or usability questions about OJS:

1. Read the documentation. We've written documentation to cover from OJS basics to system administration and code development, and we encourage you to read it.

2. take a look at the tutorials. We will continue to add tutorials covering OJS basics as time goes on.

3. Post a question. Questions are always welcome here, but if it's a technical question you should probably post to the OJS Technical Support subforum; if you have a development question, try the OJS Development subforum.

Criticism of emailing the username/password

Postby janer » Mon Jun 06, 2011 6:10 am

I have just received the following criticism from a newly-registered reader:

"For security reasons it is most inappropriate to send passwords in plain text by email. Many users take the same password for several registrations, as ones memory for such things is not infinite.
At least you ought to explain on your website that you are going to confirm the password by email and warn the prospective users to use a new password that is not used in any other context."

I tried to track down any previous correspondence in the Forum but could not, and when I looked to see if I could edit the automatically-generated registration email to suggest to the recipient that they change their password immediately to something more memorable to them, it isn't in the list of prepared emails available to me as Journal Manager and anyway it would presumably result in yet another email containing the new password. I think the suggestion of warning the user is a good one however, and would like to be able to do that on the registration template, but don't know how to.

The system seems to have been designed around sending confirmation emails with the username and password in full - isn't that rather risky nowadays?

Best wishes,

Posts: 137
Joined: Fri May 16, 2008 7:12 am

Re: Criticism of emailing the username/password

Postby asmecher » Mon Jun 06, 2011 8:40 am

Hi Jane,

Emails containing passwords are only sent out during the registration process, i.e. when a user registers for an account in the system, or when the Journal Manager or Editor creates an account for them. If you'd rather not have passwords emails to users, you can edit the email templates for the registration process and remove that part of the message; users will still be able to register and use the system. If the message is sent by a Journal Manager or Editor, you can direct users to the password reset process to create a password for the first time. No parts of the system depend on emailed passwords, but it's still common (though imperfect) practice and many users will be confused otherwise, so we still ship this way by default.

Alec Smecher
Public Knowledge Project Team
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Return to OJS Editorial Support and Discussion

Who is online

Users browsing this forum: No registered users and 3 guests