Emailing Passwords


Many websites have some mechanism to change your password if you forget it. Typically you click a “Forgot your password?” link, then enter your email address. The site then sends you an email containing a time-limited link to a page where you can enter a new password.  Pretty standard stuff.

Why don’t they just email you your current password?  Because it’s considered really bad practice. Security-wise, it’s roughly equivalent to sending a postcard through regular physical mail – as it gets passed along, people can read the contents of it if they want to. You wouldn’t want someone to scribble your password on a postcard!  The other reason is that if they’re able to email your password in plain text, it means they’ve probably stored it in plain text (or at best stored it in encrypted form, but in using reversible encryption).

And yet…  even if you would never email passwords yourself, some sites will happily email you your current password in plain text form if you tell them you’ve forgotten it.  Typically this happens with smaller sites that apparently don’t know much about security.

But it also happens with some fairly well-known ones. Here’s one, from the Singapore branch of job site Monster.com. As a publicly-listed company (NYSE:MWW) with a market-cap of $600M, you’d think they’d know better.

MonsterPasswordEmail

So what to do?  Ideally, use a different password for every site. If that’s too much, at the very least, don’t reuse any important passwords, e.g. if you’re signing up for an account at some tiny online retailer, don’t use the same password that you use for your bank account.

Besides protecting yourself, dropping a note to offending websites might encourage them to improve their password security.  And finally, public naming and shaming might help, via Facebook, blog posts & comments, or submitting to sites like Plain Text Offenders (which I just found today).

 

Advertisements

About Gerry Beauregard

I'm a Singapore-based Canadian software engineer, inventor, musician, and occasional triathlete. My current work and projects mainly involve audio technology for the web and iOS. I'm the author of AudioStretch, an audio time-stretching/pitch-shifting app for musicians. Past jobs have included writing speech recognition software for Apple, creating automatic video editing software for muvee, and designing ASICs for Nortel. I hold a Bachelor of Applied Science (Electrical Engineering) from Queen's University and a Master of Arts in Electroacoustic Music from Dartmouth College.
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Emailing Passwords

  1. vamapaull says:

    Use LastPass and unique random passwords for every website 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s