from here (source tweet) |
so apparently (according to this twitter conversation) it wasn't the members' original passwords but rather ones that are generated as part of a password reset procedure, but the members aren't forced to change these passwords so for all intents and purposes this practice is just as bad (unless the member used their original password in multiple places - revealing that would be worse). at the very least make sure that the passwords sent this way can only be used once, but better yet don't send passwords at all, send links instead and again make sure they can only be used once.
0 comments:
Post a Comment