Send password when sharing via e-mail #11682
Comments
|
This depends on how we advertise the functionality and what the main use-case behind this is. Currently, it's implemented as kind of a two-factor authentication, there is something you know (the password) and something you have (the link). If we would send the password via the email the two-factor authentication would have gone in the background, in this case the password would only protect you in case you find the link in the history or have guessed it, or it was on a website listed etc... So actually, both use-cases are absolutely okay as long as we communicate such changes appropriately to our end-users. There is nothing worse than giving the user a wrong expectation of security, which in this case could easily happen if we change the default behaviour. Therefore I'd advocate that we let this choice to the user and should invest time to implement a mail editor such as Dropbox has or add at least a checkbox ("Send password") to the sharing overview. There are so many possible use-cases for this functionality and we should try hard to make all our users happy :-) @MTRichards @karlitschek What do you think? |
Now we´re talking! Even better suggestion than I had thought of. I think both and mail editor, and a checkbox "Send password" would be two major improvements. |
|
Yes, a checkbox would be the right choice here (unchecked by default). And a mail editor would be good as well so it’s more personal. |
|
@jancborchardt Agree. :) |
I like it! |
|
This could be used when sending passwords to users aswell. #12603 |
|
Ping @jancborchardt @LukasReschke @MTRichards Any milestone for this? |
|
I assume this should also be added in the new sharing modal: #5873 |
|
Instead of sending plain text passwords you could send only username and an activation link. That activation link could then behave like the current password reset. That way you never have to send a password over untrusted connections (read: email) and you even reach a second goal: the user is forced to choose a password on his own. |
|
@cycloon That would be perfect! |
|
@cycloon while that would be possible it does require a significant amount of changes. Since currently we have at most 1 share per link. Which you can share and e-mail with a ton of people. In this scenario you can only share with 1 person by link. Probably some discussion is required if that is the desired way to go. |
|
@rullzer maybe related, from the design forward of the sharing dialog:
|
|
Hi but what is if the User should become the shared e-mail is not a know user in the system? So it should be possible only to activate the option "send password with email". for everyone share via mail. |
|
@Froster they will get a personalized share link, as we said above. The password is a different topic – all the links will be separate so if you deactivate a person’s link they can not view it anymore. |
|
@jancborchardt yeah you are right but as you see my request was closed and i was linked here.
I know the hole discuss about Password.This is my request: share context Menu |
|
Hello! sorry for my ignorance, how am I able to see the progress of features such as this one? Would this be the best place to look? |
|
@kylesouza yes. And as you see the issue is in the backlog. That means it’s not scheduled for any release specifically, and there’s currently no work being done on it. |
|
Okay, thanks! I'm very new to github and open source and such. On Sat, Jun 20, 2015 at 4:07 AM -0700, "Jan-Christoph Borchardt" [email protected] wrote: Reply to this email directly or view it on GitHub: |
|
Ref: #17398 |
|
I think #17398 is unrelated as this is a completely different use-case. When sharing a link password protected it makes no sense to send out a link where a user can set its own password for the share. |
|
We will wait for the solution of features! thx' |
|
@MTRichards @bboule So this will be in 9.1? |
|
Possibly. It is in the backlog for evaluation when we get to 9.1 planning, then we will know for certain. |
|
Send Password would be great. But how about security? |
|
@MTRichards Is the milestone still correct? |
|
Nope, milestone is not correct. And there are problems with sending the password as @BornToBeRoot pointed out. No point in sending the password in the same email. Maybe a second email works, but we also need to remember the system doesn't store the password, it stores the hash of the password - so after the initial setup, if you don't remember the password, we can't send it again the next time you visit the link. |
|
If you want this feature, feel free to add it to the overall planning list and vote it up! |
|
Done: #24684 (comment) |
|
Second email is a good start. Password via SMS or any other user defined channel for sending it would be better. Meaning: As a user I would want to decide if such PW goes out by SMS, or maybe per Signal message. Seems like I would first need to select the route and then type the password due to the storing as hash nature. |
|
I totally agrree to this function. Owncloud should give this option to include the password as well. I understand the security risks but this is something Owncloud should note taking care of. The default option is to disable this but a checkbox should allow to include the password (maybe with a hint that emails might be read by someone else). Many companies now using mail gateways and encrypt e-mail with S/MIME or PGP. Don't you? Long story short: The user may decide how to handle the password, not Owncloud developers view on. Just remember, you have to build software that is 'easy' to use for non-technical people. Those people just don't care about your security concerns and suggestions ("oh please use another channel for secuirty like SMS") but want share stuff easily. In a real world people just send another mail with the password and complain to IT dept. for this additional steps dropping their productivity for no benefit... |
|
Still waiting for this function. |
|
Hi we also need this function, please re open this post. |
|
Issue is open and feature is on the product backlog. PR welcome! |
|
Thank you! |
|
This feature was introduced in Nextcloud 12. So for me this is already fixed since I migrated. |
|
Will wait for this feature! Thanks in advance. 🎆 |
|
What we can do is add a placeholder for the password but not include it in the default template. So if people really want this security risk they need to edit the template to add the placeholder name into their template. cc @pmaier1 |
and others
Instead of having to send the password in a seperate email we should do it automatically by adding an additional send button that says "Send with password" next to the regular "Send" button in those cases when you add a password to a link and decides to send the shared link per email.
In the e-mail the user gets it should say something like;
"The link is password protected. The password is: [Password]"
What do you think @jancborchardt @LukasReschke ?
The text was updated successfully, but these errors were encountered: