Many applications use a method in which credentials for recently created accounts are given to users out-of-band of their normal interaction with the application (for example, via posts, emails, or SMS text messages). Sometimes, this is done for purposes driven by security concerns, such as to provide confirmation that the postal or e-mail address provided by the user actually belongs to that user.
In some situations, this method can present a security risk. For example, assume that the message given includes both username and password, there is no time limit on their use, and there is no necessity for the user to change the password on the first login. It is highly likely that a large number, even the majority, of application users will not change their original credentials and that the distribution messages will remain in existence for a long period, through which they may be accessed by an unauthorized party.
Sometimes, what is given is not the credentials themselves, but rather an “activation” URL, which allows users to choose their own initial password. If the series of these URLs sent to sequential users reveals any sort of sequence, an attacker can recognize this by registering multiple users in close sequence and then infer the activation URLs sent to recent and forthcoming users.
A similar behaviour by some web applications is to enable new users to register accounts in an apparently secure way and then to send a welcome email to every new user including his complete login credentials. In the worst scenario, a security-conscious user who chooses to quickly change his probably compromised password then gets another email including the new password “for future reference.” This behaviour is so strange and unnecessary that users would be well recommended to stop using web applications that indulge in it.