The config files which are attached to the Welcome Emails are XML files in plain English. Consequently, the Auth Password, VMail PIN and the Tunnel Password are exposed for all to see - insecure no matter how complex we make them. The apparent risks might be reduced by:- 1. Checkbox to include/exclude attachment of config file to Welcome Email - not all users need it 2. Obfuscate passwords within the config file 3. Possibly timelimit config files in some way 4. Is VM Pin really needed within the config file? Surley that should be held server side Perhaps there is already a way to encrypt these config files - am I missing something?