Thinking of using this technique to allow for initial user authentication

[szlamany]

We want to send a regular "letter" in the regular old postal carrier type of mail delivery method - to a bunch of users who we want to allow access to a secure web page.

They will login with the email address they have given to us - which we have marked in a CONTACT table for these individuals.

With that said - the letter does not need to include the EMAIL address - we can simply tell them to use the email they gave us.

The question becomes what do I tell them to use as a password? How bad of an idea is it to put a PASSWORD in this letter - and make it be the same INITIAL password for all these contacts that are going to be connecting??

Obviously I would "pre-expire" this initial password for each user - so they have to select a new one upon the initial login.

[MarkT]

Why not allow them to use the email address for both username and the initial password. At the first login require the password be changed before allowing any navigation to the rest of the site. This isn't very secure but it may be more so than sending a password.

[szlamany]

Wow - that is totally a psychic moment here - I was just thinking I could do that as well!

Seems better then making up a password. If they can't type there own email address twice - then I'm going to get a phone call for help anyway!

[tr333]

If you're sending the username and password via e-mail, I would suggest sending two separate e-mails. One for the username and one for the password.

[szlamany]

We are using regular postal mail - snail mail.

Sending 600 emails to people with URL's and un's and pw's just gets you spam blocked - did that last year and learned a lesson.

We drafted a real letter - and an instruction page - and they go out next week.

We are going to use an email-blasting service to send updates and info to this contact group - let them deal with spam blocking and all that jazz.