PB-21906 As a user I can disable notifications for imports, so that I am not spammed with emails

Q1. What is the problem that you are trying to solve?
Currently, when importing a password database (e.g from a .kdbx file) every imported password generates an email notification.

Q2 - Who is impacted?
Anyone who wants to import a password database, i.a. anyone who is migrating from another password manager.

Q3 - Why is it important and/or urgent?
After the import is done the user will be spammed with possibly hundreds of “Password added” email notifications.

Besides the bothering nature of this it may also lead to SMTP server greylisting or other issues.

Q4 - What is your proposed solution? (optional)
Notifications should not be sent when importing.

The whole reason for these email notifications is, as far as I understood, that the user has an (encrypted) backup for the added password(s). If importing from an existing database this is if course not an issue.

A potentially even better option would be to include a toggle for the notifications while importing. This toggle should be off by default and have a notice/warning message besides it about the possible implications when enabling.

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters

I was a victim of the lastpass security incident. I just imported all of the passwords from my lastpass into passbolt, only to be shocked in utter disbelief when I start receiving hundreds of emails with password labels in plain text in the subject line. I want to cry right now.

Please, please, please for the sake of future users, disable these kind of emails by default and especially do NOT include password labels in the subject line! It is so easy to intercept and store these subject lines and emails.

– forever doxxed.

@therealcheese Hi, welcome to the forum! I’ve moved your post to the related feature request. These requests are community driven and it affects development of passbolt.

There’s a simple solution here to turn off these notifications by default and allow the admin to turn them on if they seem it necessary.

We’ve discussed this with the team and we’ll proceed with:

  1. Disable email notifcation on creation by default
  2. Disable all fields under" email content visibility", .e.g remove URL, Username, etc. from the email by default

This way it will be following the “secure by default” principle more closely, and administrators can, lower the security if they want.

1 Like