One of our members contacted us today and asked about web site security. They asked whether it was a good idea for Joomla to send passwords by email.
The image below shows a typical Joomla registration email, with the username and password included.
Thebitmill.com has a useful overview of why sending passwords by email is not recommended:
- email is sent in plain text
- email often is stored on several systems along the way to your mailbox
- email often is stored on your computer in plain text or other unencrypted format
- many copies may exist in many places, even after "deletion"
- even encrypted email can be broken in to, given enough computing time
- your account's security may have been compromised even before you read your email (changing the password will not help in this case)
So, here's how to disable the sending of passwords by email:
- Go to Extensions > Plugin Manager.
- Search for "User - Joomla!"
- Make sure that "Notification Mail to User" is set to "No".
- Save the plugin settings and you'll be done.
If you are still getting passwords sent, it's possible that another extension is controlling the process. Check for user registration extensions such as Community Builder or JomSocial.