This post was originally written January 17, 2017. I'm migrating all posts from my personal blog onto dev.to
Recently, I registered for a new online community for ladies in technology. Part of the whole "get-out-there" goal. I went through the standard process of signing up with my email, using LastPass to generate a new password and save the entry in my vault, so on and so forth. I was pretty alarmed when I received an email half a minute later with all my login details... including the password in plaintext!
"Congratulations on entering the tech community! The login information for your account is: Email: email@email Password: password ..."
What are your thoughts on this? I asked around - it seems like this used to be standard practice. It's old, but still fine to use.
I explored the community a bit more and it was clear that the website doesn't handle any personal information about its users. There's no profile or chat section. The website is mostly links to local events and job postings. It's clear this isn't a high-security venture and strong password protection may not be necessary. That said, I truly think all services should take every step they can to help users protect and increase their online security. What if I wasn't using a password generator, and my unique password was actually already in use on another platform? Oops.
As an alternative, look at how Slack handles new users. When registering for a new channel, you receive a little email like so:
"Your Slack Account Information Hi Erika, Welcome to Slack! You've joined the team teamName. In case it's handy, here's a copy of your account details: Team Name: teamName Team Domain: http://teamURL Sign-in Email Address: email@email ..."
This serves the same purpose with all the info you need without the password. I like how it doesn't assume my email inbox is absolutely secure while still providing useful information I can archive.
I reached out to the new community's help desk and was really happy with the response. The company they hired said it's standard to include the password, but the community agreed that it should be removed for the extra security and so it will be phased out.