Announcement

Collapse
No announcement yet.

Passwords being emailed...

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Passwords being emailed...

    we received an email from a customer that is really upset that his password was sent with his order confirmation. he said and quote:

    "ARE YOU PEOPLE NUTS!!!! YOU PUT MY SECURE PASSWORD IN PLAIN SIGHT IN THIS EMAIL. DO YOU HAVE NO SECURITY GUIDELINES IN YOUR COMPANY? YOU DID NOT SEND THIS AS A SECURE EMAIL WHICH MEANS THAT ANYONE WHO READS OR INTERCEPTS THIS EMAIL NOW HAS MY PASSWORD WHICH I HOLD VERY DEAR. YOU HAVE JUST VIOLATED MY RIGHTS MAKING YOUR "SSL" USELESS BECAUSE YOU JUST TOLD EVERYONE WHAT MY PASSWORD WAS."

    Is this true?? Does our cart send out unencrypted/unsecure emails? Please someone assist me with this asap, so I can soothe our customer. PLEASE!!!
    (¯`v´¯)
    `*.¸.*´

    ¸.•´¸.•*¨) ¸.•*¨)
    (¸.•´ (¸.•´ .•´ ¸¸.•¨¯`•
    * P£†®ª *

    Shadow Trailers
    www.TrailerandTruckParts.com
    www.Trailer-Wheels.com
    www.iTrailerParts.com

  • #2
    Yep - it's the default in all of the emails. I removed it first thing when I realized what was happening when I set up my cart. I left it in the Thank You for becoming a new customer email and took it out of everything else.

    VERY stupid default in my opinion. I was very surprised when I saw it in every order.

    Just go to your setup and go into every email and take it out. Careful with the html - you should test an order all the way through.

    Sorry you had to find out about it this way.
    C Ekman
    Owner/Designer: Cobweb Corner
    http://www.cobwebcorner.com

    Comment


    • #3
      YOU'RE TELLING ME!! YESSS VERY STUPID!! I'm going to change this now, how disappointing! :mad: Thank you so much for your helpful reply. That was so kind! :)
      (¯`v´¯)
      `*.¸.*´

      ¸.•´¸.•*¨) ¸.•*¨)
      (¸.•´ (¸.•´ .•´ ¸¸.•¨¯`•
      * P£†®ª *

      Shadow Trailers
      www.TrailerandTruckParts.com
      www.Trailer-Wheels.com
      www.iTrailerParts.com

      Comment


      • #4
        The email templates we discovered just after pulling the brown wrapper off our shiny new 3dcart store were a bit of a surprise! We expected each of the templates to be blank! Typically the site administrator/owner is responsible for creating all of the content. The free email templates saved us a SLEW of time and provided us with excellent examples of what can be done - including common tags for pulling customer/order data. Not "stupid" or "disappointing" at all to us!

        Honestly, the response from your customer is a bit over the top. Not that it should be dismissed, but it's just a bit of an over reaction. There is no overly sensitive information accessible by logging into any account. The customer's shipping and billing address and a history of purchases is about all that's accessible. There is no sensitive credit card information stored.

        If the customer's emails are that susceptible to being intercepted (by unscrupulous family members? Or, are they shopping from their place of employment? Hmmm...), then, I would have to say that the security concerns are on THEIR end not yours!

        That being said, we changed our confirmation emails to display a XXXXX in place of the actual password. 3Dcart makes it easy to change these templates to anything you want them to be!

        The email functionality on order status updates is a GREAT feature well worth paying for! The default email templates (both text and HTML versions) are provided by 3dcart as a courtesy (in this idiot's opinion). It's definitely wise for any merchant to review the email correspondence being automatically sent out to their customers.

        Navigate to SETTINGS>DESIGNS>EMAILS. From their you can review each email template and tweak it to suit your needs

        Assure your customer that no sensitive information is stored on your VERY secure server. Thank them for providing you with their valuable feedback and let them know that their comments were the catalyst to the implementation of revised communication being sent to all of your customers. That'll make 'em feel all big about themselves. ;) Pat them on the head for helping you improve the service provided to all your customers!

        Willing to bet a krispy Kreme Donut that they'll shop again on your site? I bet they will! :D

        ~fr*k

        Comment


        • #5
          We took that out early on as well.
          We replaced the variable with ******
          :)

          Comment


          • #6
            Frik-n-Frak,

            Customers ASSUME that NO ONE can see their passwords. I was surprised that I could see my customer's passwords in their customer account and personally wish I couldn't.

            I would rather just be given the ability to reset it for them.

            I NEVER tell a customer that I have access to their password.

            I think you're dismissing the customers concerns a little too lightly.

            Although in the perfect world we would all have different passwords for every single site we use and we would memorize each one and never write them down... In real life we know that isn't the case.

            The fact is we reuse our passwords MANY MANY times. So the customer is obviously concerned that something they THOUGHT no one esle would ever see - is not only seen - but being transmitted without their permission.

            I don't think the original poster said anything about not liking the automatic emails. She just didn't like that fact that the password was included in each email.

            I agree with her 100% - and I would take it further and truly wish I couldn't see anyone's password. I don't even look at them when I go into customer records - I think it's a violation of privacy.

            I can think of NO reason why we should have access to this information. It should show us '*******' and if the customer forgets his password then we should be able to reset it or have it emailed to him.
            C Ekman
            Owner/Designer: Cobweb Corner
            http://www.cobwebcorner.com

            Comment


            • #7
              You missed my bigger point which is that it's every merchant's responsibility to review the correspondence being sent to their customers.

              We're in agreement! We, too, fee that the password should not be transmitted in the email. Not because there is any real security threat (unless they are the type of internet user that uses the same password for everything - and then they've got bigger security problems than we can fix for them!) but that that it just serves no purpose being there. We have the "forgotten password" email functionality in the event the customer wants their password emaild to them. So, we changed the template. It's easy to do AND it's our responsibility not 3dcart's or anyone else's.

              ~fr_k

              Comment


              • #8
                I agree completely with your latest post. Ultimately we are responsible for testing everything and knowing what is being sent to our customers.

                I didn't get that point in your first post - I read it more as the customer was overreacting.
                C Ekman
                Owner/Designer: Cobweb Corner
                http://www.cobwebcorner.com

                Comment


                • #9
                  Originally posted by cekman View Post
                  Frik-n-Frak,

                  Customers ASSUME that NO ONE can see their passwords. I was surprised that I could see my customer's passwords in their customer account and personally wish I couldn't.

                  I would rather just be given the ability to reset it for them.

                  I NEVER tell a customer that I have access to their password.

                  I think you're dismissing the customers concerns a little too lightly.

                  Although in the perfect world we would all have different passwords for every single site we use and we would memorize each one and never write them down... In real life we know that isn't the case.

                  The fact is we reuse our passwords MANY MANY times. So the customer is obviously concerned that something they THOUGHT no one esle would ever see - is not only seen - but being transmitted without their permission.

                  I don't think the original poster said anything about not liking the automatic emails. She just didn't like that fact that the password was included in each email.

                  I agree with her 100% - and I would take it further and truly wish I couldn't see anyone's password. I don't even look at them when I go into customer records - I think it's a violation of privacy.

                  I can think of NO reason why we should have access to this information. It should show us '*******' and if the customer forgets his password then we should be able to reset it or have it emailed to him.
                  Its standard in the industry, no matter if its 3dCart, or PayPal, to have access to its customer's passwords. Here, for example, they are encrypted to most staff, but there is always someone who has the ability to see the password when it is needed to be seen. The real issue is, that computer users need to stop reusing passwords. If I am using the same password I use for my banking, as I do when I buy something from shamwow.com, then *I* am creating the weak link in my own security.

                  We provide the ability to see passwords for store owners, so that your customers can get them from you if they have lost it. The other option would be to disable the customer's login after failed attempts, and that would guarantee no sale. This is not something you ever want to happen.

                  Comment


                  • #10
                    I have the same problem LOL.. like couple weeks ago, one lady really angry, until she called us, not satisfied with call us, she emailed us again about this lol..

                    Well this is how you change it:
                    Firstly, go to Settings > Design > Emails and look for 'New Order - Customer' and 'Customer Registration - Customer'. You will need to edit both of these. There are two version for both, a text version and an HTML version.

                    You are looking for [pass] which is replaced when it is sent out with the customers password. So if you replace everything say with ********* including the [] then they will see just ********

                    Don't forget to check other template such as : partially shipped, processing, etc.. Because some of them still put [pass] for that. So, if you don't want to put ******* just look the:

                    <!--START: pass-->
                    Account Info:
                    Login: [oemail]
                    Password: [pass] =====> delete this row.
                    <!--END: pass-->

                    HTML Part :

                    <!--START: pass-->
                    <strong>Account Info:</strong><br>
                    Login: [oemail]<br>
                    Pass: ********** =====> either you put that / just delete it.
                    <!--END: pass-->

                    Comment


                    • #11
                      Originally posted by 3dCartRobb View Post
                      We provide the ability to see passwords for store owners, so that your customers can get them from you if they have lost it. The other option would be to disable the customer's login after failed attempts, and that would guarantee no sale. This is not something you ever want to happen.
                      You can't think of any other way to handle this?

                      1.) You already provide a way for the customer to be reminded of their password without me getting involved.

                      2.) When that doesn't work here is what I do when customer informs me they can't access their account...

                      - I NEVER tell them I can see their password
                      - I send them a generic password such as

                      browncow

                      then I email this to them and inform them to log into their account using this password and then instruct them on how to immediately change that password to their own. I also make sure they are aware that capitalization makes a difference.

                      Why would you have to disable their account? They can't get into it anyway.

                      Personally I have had 2 occassions that I remember where I have contacted customer support at an online business that I use and they asked for my password over the phone. On both occassions I refused to give it to them and told them I was NOT happy that a customer service rep could see my password. I told them I NEVER give out a password over the phone.

                      Also - companies like PAYPAL make it VERY clear that they will NEVER NEVER NEVER ask you for your password - on the phone or via email. Since they don't ask for it - why do they need to see it?

                      1.) I agree 100% that people should be more careful with their passwords. Making it so I can see them and everyone at 3DCart can see them just provides even MORE opportunity for passwords to become compromised.

                      2.) I wrote MS Access Databases for 19 years. These databases were used in multiple countries and states by nearly 1300 users. I was the SOLE person responsible for the entire database development, training, support etc. NEVER ONCE did I see a user password. If they forgot it I reset it. In 19 years there was no reason for me to see this PRIVATE information. Even when I went into the tables which I had full access to - the passwords were displayed as '*********' because I defined them as type PASSWORD. I could have probably gotten around that if I wanted to - but there was no reason to put myself into a position that I could be accused of compromising a password. This was VERY important because we had foreign nationals who were not allowed access to government contract information. Passwords were a BIG deal.

                      3.) I agree 100% that I and I ALONE am responsible for the communication that goes out to my customers. I removed the passwords from the emails before I went live. Still didn't like that I could SEE the passwords - but since I am my SOLE employee and I trust myself - I just let it go.

                      4.) Telling ME that my customers should be more careful isn't going to do one bit of good. You and I aren't going to change human behaviour. Again - showing me and 3DCart employees the passwords just provides additional temptation to SOMEONE to take advantage of them.

                      5.) Actually I'm just fine with it as it is because I'm a single employee- I didn't start this post - I just sympathized with the original poster and stated I didn't really like the way it was set up. You don't have to convince me that people should guard their passwords more - but your argument that we HAVE to see them just doesn't hold up in my opinion - at least not for my business.

                      6.) I like not being able to see personal information such as passwords and credit cards (I REALLY like using PAYPAL to capture credit card info for me becuase I NEVER see the credit card number). That way if a customer has a problem I can honestly say I never had access to that information so there is no way I could compromise their account.

                      Hope this clarifies what my thoughts are. I never asked that it be changed and have worked around it. But you need to provide a better reason for why it HAS to be the way it is.

                      I would be interested in hearing someone's scenario where they would have lost a customer because they couldn't see the ACTUAL password the customer had. That may change my opinion. It may be I just haven't run into that situation yet.

                      Thanks!
                      Last edited by cekman; 04-27-2009, 10:49 AM.
                      C Ekman
                      Owner/Designer: Cobweb Corner
                      http://www.cobwebcorner.com

                      Comment


                      • #12
                        Wow, I thought we were the only ones!

                        I had a customer cancel his order and go off on us for this last week. I didn't know what he meant - so I checked the email template. He was right.

                        It is a little strange to email this in an order- I've personally never seen it.

                        Comment


                        • #13
                          This is odd. The only email I have that includes a pass is the registration email... I do not recall ever removing them. I started on V2.0 I think?? Maybe they were not there then.
                          www.totaloutdoorsman.com - Your Total Choice for the Outdoors

                          Comment


                          • #14
                            3D must've removed it, I noticed since the issue came up that the email and passwd have dissappeared from my order confirm emails.

                            Comment


                            • #15
                              Originally posted by 3dCartRobb View Post
                              Its standard in the industry, no matter if its 3dCart, or PayPal, to have access to its customer's passwords.
                              Uh, no. It's standard, on ecommerce sites & on computer operating systems , to hash passwords. If you forget your PayPal password, they don't send it to you. They send you a link to create a new password, which creates a new hash. Having customer passwords stored in plain-text or even reversible encryption is a major security risk, and there's simply no reason for it.

                              Comment

                              Working...
                              X