Security: separate sending of username and password

[ed]

separate the username and password emails so we don't send them together in one unencrypted email (Paul Field)

[jim]

There's no built-in way to send two emails.

However, since the user typed their own password - twice - they don't really need it in the email at all. They can always use the 'forgotten password' option after all.

So, please go to here ​https://www.transitionnetwork.org/admin/user/settings and edit the "Welcome, no approval required" message as you see fit. I'd remove the password line and change the text to say 'you chose your password during registration.

Reassigning to Ed since he's the one with the user text thing, though can do if needed.

[ed]

a bit confused -

1. why is there a one time login here when they have already set their password?
2. why are they being asked to re-set their password?

here is the text as it stands:

Hi !username,
Thank you for registering at !site. You may log in by clicking on this link or copying and pasting it in your browser:
!login_url
This is a one-time login, so it can be used only once. After logging in, you will be redirected to !edit_uri so you can change your password.
You may also log in to !login_uri using the following username and password:
username: !username
password: !password

all the best and welcome,

-- !site team

[jim]

Yes, it's a mess and shouldn't say half of those things - just a reminder of the username and link to the login page at /user/login and a welcome note should suffice.

LoginToboggan? removes the need for the one-time login, though they still need to validate their email.

[ed]

OK then I'll remove all the stuff about one time logins - that might nail the validation problem and other user confusion at that point.

bunging up to major so i remember to tweak this in due course...

[ed]

finally got round to sorting this out. closing.