Customer Passwords

[deniser]

(Please no lectures on account creation but) In the event that a customer account is created, is there anything wrong with emailing the customer the log in details ie. username and password? This is in cases where an account is not in any way linked to any payment details. It is purely to save the address details.

I receive these quite regularly from other companies so am used to them and of course choose a different password each time.

But someone else is shocked to receive their password by email.

I am wondering whether this is because they use one password for everything they do?

Would anyone here be shocked to receive their password emailed back to them as an aide memoire? I reiterate that no financial details are linked to the password.

 

[Faevilangel]

In a perfect world I would set them up an account with a automated password, then next time they login they are asked to change it.

Not all systems allow this so would be in a perfect world, but one of my clients won't send me his passwords for his website via email but texts me them, could you incorporate texts or even ring them to give the password?

Emails can be read by anyone, so not advisable to send via email BUT if there is no financial info kept (I am guessing all credit card info etc is done by a third party like sagepay) then I can't see why you can't email the password but next time they login, get them to register a new pw.

 

[andygambles]

I have had customers raise this before so we stopped emailing them and force the customer to set a password on signup.

IMHO text is less secure than email. You can pgp an email an or send via SSL/TLS. Texts can just appear on the screen of a phone left lying about.

 

[peteoc]

My view on password creation is firstly let the user create their own password, giving them an extra step when using your site to change their password is taking a step back.

You have to trust your users, if you don't then start logging all login actions, attempts at login etc........IP address, Time etc however someone with an bit of knowledge can spoof their IP or even use a proxy.

I'm coming from the other side on this where I've been developing websites for a stupid number of years and only just setting up a business.

 

[Raw Rob]

(Please no lectures on account creation but) In the event that a customer account is created, is there anything wrong with emailing the customer the log in details ie. username and password?

If I (as customer) chose the password, then no, I would not want you to email it to me.

If the password is auto-generated by the system, then fine, email it to me, and I can then change it, although as already suggested, this is not the best way of doing it, just let the customer choose the password in the first place.

Rob

 

[alanc]

But someone else is shocked to receive their password by email.

People seem to have very different perceptions of what is 'safe' on the internet. These will be based on:
- a knowledge of how things works (rare)
- their past experience
- what newspaper they read
- some bloke they met down the pub

Based on this, the results can be quite widely varied (hence the shocked person). It is a similar kind of judgement that they make when visiting on online shop for the first time, and try to answer the question: is it safe?.

It is best to err to the side of caution, and don't give them a reason to be shocked.

Personally, I have very rarely received a password by email, so it would seem unusual (but I was going to ask my mate down the Till & Tape Dispenser about it).

 

[nigel007]

Hi,

I totally agree with "andygambles". his point is very valid.