My client is concerned with the registration notification emails and the email sent when someone loses their password. In each email, both the username and login are sent in plain text and they are wondering if there is a way to make this process more secure somehow, such as emailing them seperately. Has anyone done this, or does amember already allow this somehow? Thanks
Mailing them seperately, that sounds very useless in my oppinion. If somebody has access to the email, then if it came together or seperately...they would still get it If you REALLY wanted to not have them in the email though you could just edit it out of the email template.
I believe all these things are usable for banking institutions. Nobody will hack someone's else email to just get access into usual membership site. I understand that I may be wrong - I saw sites where it is critical.
To make it really secure, we need to add special field, lets say "Password retrivial Question" and "Password Retrivial Answer". For example Yahoo uses this scheme. To get lost password you have to enter answer to such question. Do you think it helps to solve the problem?
Alex, my company is very interested in having this built into aMember. We don't want to use aMember in production right now because we do not trust mail servers to store customer passwords, yet we need the customer to be able to reset the password. (A certain ISP we have to deal with has had numerous break-ins...) I am guessing resetting a password after answering a personalized question cannot be done through a plug-in. Am I right? If you add this feature (to get rid of plain-text password retrieval), when do you think we can try it out?