I am going to take the "high road" here and suggest that you really should
check out your facts before you send out e-mails like this and stir up all
kinds of unnecessary controversy! It is particularly insulting to those of
us who voluntarily spend more than 30 hours per week on VTR related
matters, to have our efforts referred to as "the most egregious security
practice
I have ever seen" and "incredibly amateurish habitb�.
This is probably all a moot point since we will likely be discontinuing
the practice of including your password on any VTR correspondence, however
convenient others may find this to be.
First of all, let me assure everyone that "every" e-mail that is sent out
from VTR does not include your username and password.
Interestingly enough, I, as VTR Membership Secretary, do not even know or
have access to what everyone's password is. It is a totally blank field in
our administrative database. I can insert a new password, but I never know
what the prior password was.
I am sure our President will be responding but let me remind you of
(apologies in advance to Information Technology Officers) a few things about
passwords in general. You presumably have a safe, secure, password for your
e-mail account and only you can view your e-mail. Therefore, any e-mail we
send
you with your VTR password would presumably be read only by you. Because
many e-mail users on any system forget or otherwise lose their passwords,
virtually every system allows you to request your password. With most systems
I am familiar with, the recovered password is sent to your e-mail address
after the system first verifies your request, and matches the e-mail
address on file associated with the username you attempted to log in under.
Anyway, suppose someone with ill-intent does acquire your VTR password.
Since we house no financial information in your profile (like credit card,
PayPal, or bank account information) there is little that could be done to
your profile, other than nuisance name changes, etc. I submit to you that your
exposure is not much greater than your listing in a local telephone
directory or other public information sources readily available on the
Internet.
Not withstanding the foregoing, my recommendations will be to remove the
passwords from all VTR correspondence, with the exception of specific
requests for recovery.
Regards,
Bill Lynn
VTR Membership Secretary
e-mail: _triumphtr2@aol.com
_ (mailto:triumphtr2@aol.com)
In a message dated 3/1/2010 8:08:53 A.M. Central Standard Time,
sumton@sbcglobal.net writes:
I just received an email from the Vintage Triumph Register. every email
they send out has your username and password in clear text.
help me out people - this is the most egregious security practice I have
ever seen. please send them an email and tell them to stop this
practice!!!!! tell them you will not renew until they cease this incredibly
amateurish habit.
their email is _membership@vtr.org_ (mailto:membership@vtr.org)
_______________________________________________
6pack@autox.team.net
Donate: http://www.team.net/donate.html
Archive: http://www.team.net/archive
Forums: http://www.team.net/forums
|