Do not email back passwords

OJS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
Posts: 1
Joined: Wed May 12, 2010 7:20 am

Do not email back passwords

Postby dpleibovitz » Wed May 12, 2010 7:32 am

I just registered as a new user for an OJS based journal ... complicity
and received a confirmation email containing my password.

1) I do not think that passwords (unless temporary) should ever be emailed to anyone. They could be reset.
2) Ideally, they should not even be stored in the clear. They could stored after a one-way hash. This email is only about 1)

For 1), a simple desktop query on 'password' could reveal all in the clear passwords available, including those in emails. People often re-use passwords, and this makes it easy to find and use other people's account. It is much easier for developers of any system to simply never email passwords. Please update the software to at least not include the password in any confirmation (or other) emails.


PS. I have to manually edit the received email to delete that portion. Not all email clients allow one to do so.

Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Re: Do not email back passwords

Postby asmecher » Wed May 12, 2010 9:30 am

Hi dpleibovitz,

Passwords are stored using a one-way hash. By default, passwords are sent upon registration and a temporary password is sent upon password reset; if you wish to remove the password from registration emails, you can use the "Prepared Emails" tool to remove that variable.

Alec Smecher
Public Knowledge Project Team

Return to “OJS Development”

Who is online

Users browsing this forum: No registered users and 2 guests