On Wed, 2011-10-12 at 10:27 +0200, Frédéric Delanoy wrote: > Maybe the mail should mention to directly change that pwd (or provide > a one-time pwd you need to change on first login), but then again it's > plain http, so that doesn't help much. > Anybody with half a brain will have done that anyway. Note that that message contains both the 'user name' AND the plaintext password, but as others have said, this is unavoidable. Immediately on receipt of the message, the user should: - login using that password - change the password to one of his own choice - logout BTW, it would most useful to know more about the type of password that can be used, in particular: - maximum and minimum lengths - what characters are acceptable. A password should be case sensitive and contain any printable character. Systems that are case agnostic and accept only the characters a-z0-9 are simply not good enough. Systems that accept a longer passphrase are good on two counts: a phrase is often easier to remember and its length makes it harder to crack. - if a dictionary is used to ban easily guessable passwords - if passwords can be re-used - ideally not. Martin
