04-05-2012 12:06 AM
This is really important, and the present situation is very annoying.
Like most people I know, I have a few passwords that I use for most sites. I vary them a bit, but basically many are based on a few words and numbers and symbols.
If you forget your password, the researcher ID site emails it to you, in clear text, in an ordinary email. That is a terrible breach of security, and if you want to be careful, effectively ruins not only that password, but any others that may have similar structure, i.e. be based on the same words but in a different arrangement. Deleting the email does not necessarily help; at my universty, copies of everything in an out are kept and potentially discoverable via freedom of information, so once my clear text password was emailed to me I had no choice but to change passwords on other sites that had the same or similar ones, and I have probably missed some.
It would be far, far better to do any of the things that most other sites do, such as:
--have a security question and answer that can be used to get limited access to reset your password.
--reset your password to random nonsense, and email that to you in the clear, at least not compromising your actual password.
--send an email to your registered address wth an embedded URL that gives you access to reset your password.
Any alternative at all would be better than the present scheme.
06-12-2012 09:08 AM
Thank you for your interest in ResearcherID and for your suggestions. We'll add it to our future enhancement list.
Product Management Associate
09-28-2012 02:28 PM
Is there an update on this? It's really convenient that logins are standardized across the TR system. Because the passwords aren't salted and hashed and are transmitted in cleartext, it also makes it dangerous. Granted there's no financial information here, but there's still user data to protect, and as Ross mentions, a number of people use the same password or a variant of their password for many sites including banking. That's the real concern.
Here's a few links explaining why it's important to properly obscure passwords and how it can be fixed.
Since you guys manage WebOfKnowledge databases I'm sure your tech team is up for it! :-)