Criticism of emailing the username/password

Are you an Editor, Author, or Journal Manager in need of help? Want to talk to us about workflow issues? This is your forum.

Moderators: jmacgreg, michael, vgabler, John

Forum rules
The Public Knowledge Project Support Forum is moving to

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
Posts: 137
Joined: Fri May 16, 2008 7:12 am

Criticism of emailing the username/password

Postby janer » Mon Jun 06, 2011 6:10 am

I have just received the following criticism from a newly-registered reader:

"For security reasons it is most inappropriate to send passwords in plain text by email. Many users take the same password for several registrations, as ones memory for such things is not infinite.
At least you ought to explain on your website that you are going to confirm the password by email and warn the prospective users to use a new password that is not used in any other context."

I tried to track down any previous correspondence in the Forum but could not, and when I looked to see if I could edit the automatically-generated registration email to suggest to the recipient that they change their password immediately to something more memorable to them, it isn't in the list of prepared emails available to me as Journal Manager and anyway it would presumably result in yet another email containing the new password. I think the suggestion of warning the user is a good one however, and would like to be able to do that on the registration template, but don't know how to.

The system seems to have been designed around sending confirmation emails with the username and password in full - isn't that rather risky nowadays?

Best wishes,


Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Re: Criticism of emailing the username/password

Postby asmecher » Mon Jun 06, 2011 8:40 am

Hi Jane,

Emails containing passwords are only sent out during the registration process, i.e. when a user registers for an account in the system, or when the Journal Manager or Editor creates an account for them. If you'd rather not have passwords emails to users, you can edit the email templates for the registration process and remove that part of the message; users will still be able to register and use the system. If the message is sent by a Journal Manager or Editor, you can direct users to the password reset process to create a password for the first time. No parts of the system depend on emailed passwords, but it's still common (though imperfect) practice and many users will be confused otherwise, so we still ship this way by default.

Alec Smecher
Public Knowledge Project Team

Return to “OJS Editorial Support and Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest