Beginning on 6/22/2016, we will no longer include passwords in welcome emails. We are making this change to improve the security of our site. In place of the password, welcome emails will now contain a link to retrieve a forgotten password through our new password process.
As we continue to service more and more clients, we review our security practices frequently. Sending passwords via email exposes the risk of a commonly used password being retrieved and used to access other websites. Changing our welcome email process has been a priority for us and required several additional steps to make it possible.
Over the past few months we have improved how passwords are retrieved. All users are required to provide two security questions to change their password. When a password is requested, instead of sending the password, if the user has set up their security questions, they can answer the questions to reset the password. If the user has not set up their security questions, we send a custom link that only lasts an hour. We have also implemented minimum standards for password length and complexity.
ArbiterPay has used a recovery process since inception and has never sent passwords by email.