On 3/17/13 5:30 PM, Derek Balling wrote: > > On Mar 17, 2013, at 8:24 PM, Starchy <star...@gmail.com> wrote: >> My only major complaint with the system is that when a user emails in to >> create a ticket for the first time, it automatically creates an account >> for them, and emails them an account creation email with credentials in >> plaintext. This is both insecure and incredibly confusing to people who >> don't even know or care that we're using something called Redmine, so we >> had to do some tinkering to turn that off. > > I want to throw up a "challenging opinion" on this one. > > If a customer has an account created for them automatically in the ticketing > system, what does that account get them access to? Their ticket they just > created. > > What's in that ticket they just created? The data they just themselves sent > VIA EMAIL. > > Sending them a password, in email, presents no escalation of what data was > already entrusted to the e-mail medium. > > There are a LOT of places where sending a password in e-mail is quite simply > "wrong wrong WRONG", but I'm not convinced this is one of them. In fact, it > seems like the outlier on the opposite side of the coin.
You raise a reasonable point. The behavior is still very undesirable to us in that it contradicts user training around phishing and plaintext password storage, and none of our users actually want a Redmine account to manage. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
