----- Original message ----- > Thomas Goirand <[email protected]> writes: > > > dtc sends the password of new users to the webmaster: > [...] > > > This mail is not encrypted. > > > > Most of the time, the receiving server would be the same server > > receiving the email. If that's not the case, then the admin is free to > > setup encryption (and maybe auth) between the 2 SMTP servers. > > So it's "maybe" secure?
No, it's secure by default if the destination email is in the same computer (or same LAN) which will most of the time be the case. > And it doesn't help against compromise of the > host where mails are stored. Sure, and it doesn't prevent a nuclear bomb to explode either... Does that count? Seriously, do you really think that receiving your administrator messages on a "compromissed host where mails are stored" counts as an argument here? > > The reason is very simple: anti-fraud. Many times, you see the same > > hacker registering with the same password, and it helps detecting it. > > Also, you want the admin to see the weakest password to be able to do a > > bit of policing. > > This really is one of the worst reasons I have ever seen... Yet thanks to seeing twice the same password, I was able more than once to delete hacked accounts. Also, I sometimes lock accounts by changing the client password, and the history on my email makes it possible for me to restore the old password. Yet, don't see this as denying the issue... I didn't close this bug! :) You've made your points making these 2 bug reports, thanks. Now if you want to continue helping, only a patch will. Thomas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
