Passwords in sign up email. Bad practice? PCI compliant?
Is it good practice (from a security standpoint) to send a customer the password they provided during registration via email?
No, it is most definitely not!
Do we frequently change this for clients?
No. Unfortunately we do not. We probably should, but it's typically one of the lowest items on the worry list. In the past 5 years, I only recall a single client asking about this. It was after receiving a fiery email from a customer who was not too happy over their password having been emailed to them, and who then was questioning the security of having given the site their CC info to place an order.
I would highly recommend making this change for any new store. It's worth the little amount of time, and the supposed "benefits" which I mention below are not worth the risks of insecurely transmitting the password.
Are there benefits to including the password in the new account email?
Yes, there are (although IMO they are not truly beneficial). This probably depends on the demographic of the site some, and I unfortunately do not have any statistics here, but people lose passwords. Folks like me use unique passwords for everything and store them in keychains, but most folks do not, rather they write them down on sticky notes, tape them to computers or email them to themselves. A customer that can't place an order because they can not log in is either a lost order/customer or an unhappy customer which a CSR must help use the site.
I'm absolutely not saying that it makes it worth the security risk though! It's just a "reason" per-se why they are in emails in the first place.
A big thing that comes into play is the simple fact that people still use the same password in many different places. So even if it doesn't matter if a single customer account on your particular website is compromised, the password can be used to compromise accounts which might be of a more sensitive nature. Not that an eCommerce site doesn't contain PII, but it typically does not contain the same level of sensitive information that a bank would, for example.
The risk for the individual eCommerce store becomes much grander (independent of password cross-polination) when credit card information is being stored to enable easier re-ordering and purchasing. It opens you up to the risk of having unathorized users breaking into the account, purchasing on a customers credit card and having the order shipped elsewhere.
Which version of Magento is being used, in this case, does not matter much. All versions I have worked with (including EE 1.13) send the customer's account password in cleartext via email upon initial account creation. Newer versions do not include the password in the password reset emails and opt for an expiring link instead. But if you reset the password from the admin, same situation, it's sent in cleartext.
Preventing the password from being sent out in the account registration emails is pretty simple and can readily be done from the Magento admin by following a few simple steps:
Go to System > Transactional Emails
Click the Add New Template button
From the Template drop down, choose "New account"
Load the template into the form by clicking the Load Template button
Find the following line of code in the template and remove it:
<strong>Password</strong>: {{htmlescape var=$customer.password}}<p>
Edit the copy in the template to better reflect the nature of the email. Parts of the default template (Ex: "following values") won't make sense without the password present...
Since ~1.6.1-rc CE Magento ships with two different password reset templates. One has the password plaintext, the other a reset link. The reset link template filename is account_password_reset_confirmation.html
while the plaintext password email file is called password_new.html
Go to:
System > Configuration > Customers > Customer Configuration > Password Options
Change the value of "Forgot Email Template" to "Forgot Password (Default Template from Locale).
Edit
Upon re-reading (and @davidalger being such a gent) I may have misinterpreted. However, it's very easy to remove the password reminder field in the new customer signup email, as well. Edit the line (~line 34):
<strong>Password</strong>: {{htmlescape var=$customer.password}}<p>
In the file app/locale/en_US/template/email/account_new.html
.
Or, just upvote and accept @davidalger's answer because he deserves it!