[TR] vtr passwords and their dissemination

[VTRmbrshp at aol.com]

I am going to take the "high road" here and suggest that you really should
check out your facts before you send out e-mails like this and stir up all
kinds  of unnecessary controversy! It is particularly insulting to those of
us who  voluntarily spend more than 30 hours per week on VTR related
matters, to have  our efforts referred to as "the most egregious security
practice
I have ever  seen" and "incredibly amateurish habitb.

This is probably all a moot point since we will likely be discontinuing
the practice of including your password on any VTR correspondence, however
convenient others may find this to be.


First of all, let me assure everyone that "every" e-mail that is sent  out
from VTR does not include your username and password.

Interestingly enough, I, as VTR Membership Secretary, do not even know or
have access to what everyone's password is. It is a totally blank field in
our  administrative database. I can insert a new password, but I never know
what the  prior password was.

I am sure our President will be responding but let me remind you of
(apologies in advance to Information Technology Officers) a few things about
passwords in general. You presumably have a safe, secure, password for your
e-mail account and only you can view your e-mail. Therefore, any e-mail we
send
 you with your VTR password would presumably be read only by you. Because
many  e-mail users on any system forget or otherwise lose their passwords,
virtually  every system allows you to request your password. With most systems
I am  familiar with, the recovered password is sent to your e-mail address
after the  system first verifies your request, and matches the e-mail
address on file  associated with the username you attempted to log in under.

Anyway, suppose someone with ill-intent does acquire your VTR  password.
Since we house no financial information in your profile (like credit  card,
PayPal, or bank account information) there is little that could be done to
your profile, other than nuisance name changes, etc. I submit to you that your
 exposure is not much greater than your listing in a local telephone
directory or other public information sources readily available on the
Internet.

Not withstanding the foregoing, my recommendations will be to remove the
passwords from all VTR correspondence, with the exception of specific
requests for recovery.

Regards,
Bill Lynn
VTR Membership Secretary
e-mail: _triumphtr2 at aol.com
_ (mailto:triumphtr2 at aol.com)

In a message dated 3/1/2010 8:08:53 A.M. Central Standard Time,
sumton at sbcglobal.net writes:


I just received an email from the Vintage Triumph  Register.  every email
they send out has your username and password in  clear text.

help me out people - this is the most egregious  security practice I have
ever seen.  please send them an email and tell  them to stop this
practice!!!!!  tell them you will not renew until they  cease this incredibly
amateurish habit.

their email is _membership at vtr.org_ (mailto:membership at vtr.org)