Security: Emailing passwords???

Andrew Reidy
Andrew Reidy Member Posts: 2
edited August 2017 in Reckon One
I just changed my password for the first time and you sent me my new password via email. This is unbelievably insecure!!!

It means that if an email provider (e.g. yahoo) or a companies email server is hacked then the hackers will be able to read the "password change" emails and log into Reckon.com . This is a ticking timebomb for you.

If you don't know how to do login security then outsource it to a company like auth0 or stormpath.

Comments

  • Allan Hamblin
    Allan Hamblin Member Posts: 11
    edited August 2017
    For the same reason I don't like any cloud use, or online accounting. I would think a clever hacker could hack Reckon just as easily as Yahoo. I stick to desktop versions.
  • Rav
    Rav Administrator Posts: 12,204 Community Manager Community Manager
    edited April 2017
    Hi Andrew,

    I can definitely appreciate the concerns you've raised. The good news is we've got some major changes to the way we handle the password reset process coming very soon. It's a complete redesign of the process and will eliminate any potential for undue risk.
  • OCA
    OCA Member Posts: 2

    It is now May 2022 and I have just had exactly the same issue. I updated our password, it was then EMAILED to me with the username as well - you might as well print it on a billboard by the highway!

    The response from Reckon is below and completely useless. Even more so when I see this was flagged in 2017!! COME ON RECKON - SORT YOUR SECURITY OUT


    Thank you for contacting Reckon.

     We really understand your concern regarding the password security.

     The reset password which is shared on the registered email is currently as per the default password reset process. However we will forward your feedback to the concern team.

     Alternately we suggest you to please share your feedback through the link below as this is a dedicated portal to request feature and share feedback and the development team regularly work on the feedback/requests shared.

    I hope the above information would be of help. Should you like to explore other support options, you may contact us via: Reckon Community Reckon KnowledgebasePhones

  • Luke
    Luke Moderator, Reckon Staff Posts: 224 Moderator

    Hi All,

    I can confirm our development team will be working on updating how passwords are reset on Reckon Accounts Hosted in their next sprint.

    Right now there is no exact ETA.

    We thank you for your feedback and patience.

    Luke

  • OCA
    OCA Member Posts: 2

    Let's hope it is quicker that 5 years when this was 1st flagged.....

    In the meantime why not just remove the process that emails the actual password - not hard and resolves the issue until you have a solution - nobody needs the actual password, just a notification that it has changed?

    James

  • Andrew Reidy
    Andrew Reidy Member Posts: 2

    I posted this issue 5 years ago while trialling reckon. When this security issue came up I banned reckon and we went with Xero- which is not great software but at least has okay security.

    It amazes me that more reckon customers haven't been defrauded as it would be so easy. E.g.

    1) Send out random phishing scams to small business employees in order to get access to email

    2) Search email for reckon password reset

    3) Send out fake invoices with incorrect bank account details and profit $$$


    The great thing about this is that most businesses wouldn't know their email had been hacked and would assume it was either reckon or a disgruntled employee. Wait 6 months and repeat attack again