DISQUS

Hello! Bob Caswell is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

bobcaswell.com Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- Bob Caswell
  263 comments · 3 points
- tom4cam
  22 comments · 2 points
- frivmo
  5 comments · 3 points
- peskypescado
  5 comments · 2 points
- Racing School
  5 comments · 224 points
Popular Threads
- Iran Election Protests Outside My Apartment
  6 days ago · 4 comments
- It’s official: I now use Bing instead of Google
  2 weeks ago · 9 comments
- I’m a PC and my shirt says so. He’s a Mac and yells in my face.
  3 weeks ago · 9 comments
- Is This Twitter Making Money? I’m Not So Sure.
  3 weeks ago · 2 comments
Recent Comments
- Thanks for helping provide better perspective. Sometimes, in all the noise, we forget that protesters are usually just quiet neighbors. It takes an especially awful situation to get the noise level...
  5 days ago by Bob Caswell
  
  in Iran Election Protests Outside My Apartment
- Thanks for the comment. The more I read up on the situation, the more I understand why you (and others) are very upset about all this.
  5 days ago by Bob Caswell
  
  in Iran Election Protests Outside My Apartment
- "nice job, with your piece on the Bellevue demostration on Iran and awareness is all we can bring to the problem in Iran. Thanks Bob for his humane and objective view. Most of us have never...
  5 days ago by naghmeh
  
  in Iran Election Protests Outside My Apartment
- Thank you for the post. It's logical and repectful. I was there, mad as hell ( guy in red shirt...)
  5 days ago by Frank
  
  in Iran Election Protests Outside My Apartment
- Thanks for the thoughts, Bighappy, hopefully Bing will get to the point where you'll want to use it for tech info or classic cars. When you say that 93% of your searches have "absolutely...
  6 days ago by Bob Caswell
  
  in It’s official: I now use Bing instead of Google

Bob Caswell

Media consumer, tech enthusiast, and blogger

Jump to original thread »

Bad Form: Companies Still Send Passwords via Email

Started by Bob Caswell · 10 months ago

No excerpt available. Jump to website »

41 comments

Kevin M. Keating
1 year ago

Absolutely, Bob. I'm surprised at Mahalo, too, in this case. Emailing passwords (especially when it comes in a message titled "here are your login details") is really bad form. Even though most people don't use separate passwords, this practice makes it super-easy to get into all manner of accounts if one's email account is compromised. Add this to the fact that even security-conscious folks tend to make their email passwords far more insecure (low body image?) than their other passwords, and that most web services require little other than email access to change login details, and you've got a perfect storm.

reply

Paul Ellis
1 year ago

discussion we had over the Charter Communication's E-mail debacle. How much can we expect from free services? They don't have much incentive to care about their users' privacy.

reply

Bob Caswell
1 year ago

Paul, I agree that this goes well beyond Mahalo. I hope this didn't come across as an isolated incident. It's happened to me numerous times.

Using Mahalo as an example goes back to Kevin's surprise (I think). Like Kevin, I was surprised too. I'm generally more cautious with new sites. But Mahalo looks and feels like it should know better. Plus, it has the credibility boost of being the brainchild of Jason Calacanis (who should know better).

Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn't as high as I had hoped!

reply

Bob Caswell
1 year ago

One more thing, I wanted to respond to this:

"How much can we expect from free services? They don’t have much incentive to care about their users’ privacy."

I wonder about this... I'm not sure that being free is as much the problem as is the fact that there's no viable substitute in most cases. It's as if most, if not all, web 2.0 / social networking sites have a secret pact to never be sensitive to users' privacy.

Because as soon as some start caring, the rest may be expected to as well. But I guess my point is, just because something is free, doesn't necessarily mean there isn't an incentive for it to work well. These companies still need users to keep coming back.

reply

Jason
1 year ago

Frankly, I *hate* services that send me a new password when I forget it and I LOVe services that just send me my password.

If someone has hacked into your email aren't you already compromised big time?!

obviously the new password/password reset function is safer, but it's also a pain in the neck. I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?

Like you said, many services send you a reminder email... is that really so wrong?!

best j

reply

Kevin M. Keating
1 year ago

Here's something to consider - because I think there are actually two separate pieces to this:

Should the company send you your password automatically when you sign up, or only if you've forgotten it?

reply

vrypan
1 year ago

I'm scared by websites that prove that they keep my passwords unencrypted by sending them to me.

reply

Frans
1 year ago

There is a other issue as well. It also means those sites are storing the passwords in a readable manner, instead of a hash. If their database gets compromised/hacked, the hackers will have a nice list of login names, emails accounts and passwords.

reply

dombett
1 year ago

It's somewhat ironic to complain that some sites don't account for your (and others) poor security practices.

While I agree that sending a new password in an open email exposes it for all the web to see, there's plenty of responsibility on the user not to re-use important passwords or even keep a password that he uses just for sites without sensitive personal information.

If you're a Mac user, a program like 1Password makes generating secure passwords right in your browser (and remembering them when it's time to use them!) very easy.

reply

Bob Caswell
1 year ago

Jason, thanks for stopping by and responding. Now for my response to your response:

"If someone has hacked into your email aren’t you already compromised big time?!"

But the reason someone has hacked into my email could very well be one of your disgruntle employees (or any such employee of any company that sends passwords via email) that has easy access to all customers' passwords (sitting right there on your mail server), many of which are likely to be the same as their passwords for their email accounts which they've also given you!

"I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?"

Honestly, I'm a bit tired of the excuse of "anything that doesn't have to do with your money isn't worth protecting." Also, do you really think all your users make sure to keep their bank passwords and social site passwords separate?

And, by the way, Stumble Upon isn't a fair comparison because the password it sends you when you create an account isn't one you picked. Give me more examples of social networking sites that send out passwords. Digg doesn't. Reddit doesn't.

reply

Michael
1 year ago

Bob says:

"Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn’t as high as I had hoped!"

Why on earth would you think such a correlation exists?!

You also state that you have a stockpile of "I-don’t-care-if-you-know-my-password password" so why are you not ALWAYS signing up for new services with those passwords, and then changing them. It sounds like a touch of laziness in not wanting to have to go through the steps of changing your password. I also do not know if Mahalo sends you an email with your new password after you change it or not. I will test that out right now, in fact.

You should never assume that security on the web is as high as you want it to be. Take your best precautions with your information until you are sure of the security stance of the site.

reply

Bob Caswell
1 year ago

Domenico Bettinelli,

The responsibility is shared between user and company, no doubt. But I'm not sure how some users' poor security habits should ever imply that the company shouldn't take it's side of the relationship seriously.

reply

Bob Caswell
1 year ago

Michael,

Points taken. I will be more cautious, of course, since that matters to me. But again, it's a two way relationship. I'll do my part, but I don't think it unreasonable for companies to do their part as well.

reply

kayzaar
1 year ago

what i like best:

after i click a 'forgot password' link
the system sends me an email with an https link
the page i'm geting to has a form with 2 fields:
1. new password, 2. repeat new password.

the link only works once, and has some time lock.
seems perfect. is it?

reply

Kevin M. Keating
1 year ago

Domenico: You're right, people need to be safer. But companies have an interest in protecting their users (customers, after all!) against their own bad habits. (See: seatbelts, airbacks, antilock brakes, etc - hyperbole, sure, but it pertains). 1Pwd is cool, but not everyone knows about it/can afford it/etc. For companies like Facebook, MySpace, etc, where their users are the single most important asset, failing to protect them in any way possible can lead to serious problems. All it takes is one leak, and the flock will run.

Besides, this is a programming problem that has been solved for years. No one is asking these companies to build a secure login from scratch. Easier, more cost effective to do it in the beginning than to deal with a problem down the line.

reply

Jared
1 year ago

Yes Jason, having a hardcore security/password policy at Mahalo is probably overkill. You aren't storing much in terms of personal information, so none of that is really necessary. Given the nature of your business, your users are probably of the more computer savvy class as well. However, I would guess that there are a significant number of ignorant people who don't know any better.

It'd be easy to just ignore these poor souls, but given that they make up a large percentage of the overall web population, it seems appropriate to make any exception.

Personally, I can't see how clicking a link in your email is any more of a "pain in the neck" than going to your email to retrieve your password. Security isn't easy and it adds complexity. However, people will deal with minor inconveniences if they mean greater security. I would classify having to click a reset link in an email as a minor inconvenience.

reply

Mike Koss
1 year ago

I agree, what Mahalo is doing is NOT a best practice. Web sites should:

a) Never stored your password in the clear (just a hash of the password than can be used to verify login).
b) Never send a password in email or display it on any web page.
c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).
d) Provide a "Reset Password" page so people can get a link sent to their email account to re-create a forgotten password.

reply

Jim R. Wilson
1 year ago

I'd like to draw a distinction between /sending/ a plaintext password and /storing/ a plaintext password.

Mahalo sends the plaintext password in the account confirmation email, which is available to the script at form-submission time. The password is actually stored salted and hashed according to accepted storage practices.

There is no way for an insider or attacker to recover a password from the system short of brute-forcing one password at a time. The applied salt makes rainbow-table attacks unfeasible.

The credential storage mechanism is part of the underlying MediaWiki infrastructure (same technology which runs Wikipedia), is open-source, and we have not altered it.

-- Jim R. Wilson (Software Engineer for Mahalo.com)

reply

David
1 year ago

I tend to use a single strong password for stuff involving my money (including my email b/c stuff involving my money goes there). For things like mahalo, etc. I use the same password convention for each site, but not the same password. It makes it easy enough to remember without giving away the store.

reply

Bob Caswell
1 year ago

Jim-

Thanks for the details! You've taken away about 30% of my original concern. :-)

reply

Frans
1 year ago

Thanks Jim. Jason made it sound like you would get your original password send to you when you retrieve it.

reply

Bob Caswell
1 year ago

Frans,

Not sure if we're talking about the same thing, but I wanted to clarify that Mahalo does still send your original password to you in an email right after you create an account. So your password is still open / unencrypted / in your email / on multiple mail servers, etc. Jim is simply saying that Mahalo doesn't store the open versions of passwords, but they still send them.

reply

John
1 year ago

I have to agree with David. The best is to use the same simple password for all those sites you have nothing confidential on. For the rest, I use a combination of letter, numbers and special characters.

reply

otto
1 year ago

I think it is a valid policy as long as the user is made aware.

Anyone who reuses passwords, even if it is just a password for random trash sites is at risk here of way more exposure than simply the login details to some search engine. If they are told when they enter the password that it will be sent to them in a plain text email, they can make the choice to use a different password and can fully understand how insecure it is (even if they SSL to their mailserver, who knows where else that email goes).

That being said, it is not exactly smart to reuse the same password on any random sites as they could easily have the passwords stored in an insecure method or in a place readable by employees. I could even foresee an elaborate phishing scheme where instead of a fake site that they want to steal credentials for, they just create what looks like a cool new version of something. Imagine some myspace phishers putting up some screenshot mock ups and getting people to enter a username/email/password in order to join the upcoming open beta of the "next big social networking site"

reply

fresh
1 year ago

Anyone reading this who hosts at dreamhost - I just put in this feature request. You can go to your web panel and vote for it.

reply

Logan
1 year ago

Sending passwords in plaintext via email is always a bad thing to do, even if its only during signup. Mahalo and others should know better!

General Rules
a) Passwords hash + salt in the database
b) Never send a password in email or display it on any web page.
c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).

Proper way to do password resets
a) Forgot Password with Email field
b) Link is generated sent to email address, which expires within a set amount of time and includes a randomly generated string
c) Clicking on link displays a form that allows user to change their password

(thanks mike koss, I edited and added to yours)

reply

Mangamuri
1 year ago

Even the popular MySpace website sends the password in thank you e-mail !! That's a good piece of work.

reply

Frank
1 year ago

Uh Logan, this is not a proper way to do password resets. It is vulnerable to an e-mail account breach or to sniffing of the e-mail while it is being sent, which are most of the reasons passwords via e-mail were considered bad. (Breach limited to old e-mails being the only missing reason.)

reply

First Poster
1 year ago

Is it a perfect solution? No.

Where does this contruct come from? I see it fairly often recently. Do americans learn this at school? This construct usually appears somewhere in the middle of an essay. "Is it blabla? Yes" "Is it blablabla? no". Freaky as the FED.

reply

Danijel
1 year ago

Here's my solution:

When you create a password the system makes a hash (using md5 or sth) and stores that in its database. Then when you log-in, the system calculates the same has of the password you entered and compares it to the hash in the database.

The good thing about this solution is that noone, except the user, will know the password.

reply

Pat
1 year ago

I prefer the convenience of getting my old password sent to me... I guess if you feel more secure with another method then you also don't mind having your nail clippers seized at the airport and having to carry small amounts of liquid in clear plastic baggies when you fly.

It's about usability, I suppose someone could randomly pick off an email coming to me with my password in it, but if they can hack into my circuit city account or post under my name at some forum... who cares?

Banks/credit card companies have to be more secure (and are)... that's all I care about!

reply

Derek
1 year ago

I really hate it when ANY company does this. Only last week I ordered a product from http://www.devexpress.com/ and they did this very thing! Not only that but they do not allow you to purchase any of their products using public email accounts i.e. gmail/yahoo etc. Ludicrous I tell you ludicrous!

reply

noyb
1 year ago

I work in IT security and it is our policy that it is ok to email passwords as long as they are seperate from which system they log you in to and your username for that system. Keep those 3 pieces seperate and one alone will get you nothing.

reply

Phil
1 year ago

Check the OWASP Guide's Authentication chapter for a long list of best practices. For password resets:

Send a message to the user explaining that someone has triggered the password reset functionality. Ask them if they didn’t ask for the reset to report the incident. If they did trigger it, provide a short cryptographically unique time limited token ready for cut and paste. Do not provide a hyperlink as this is against phishing best practices and will make scamming users easier over time. This value should then be entered into the application which is waiting for the token. Check that the token has not expired and it is valid for that user account. Ask the user to change their password right there. If they are successful, send a follow up e-mail to the user and to the admin. Log everything.

All-in-all a good chapter. The problem with best practices lists is that different websites will require different levels of security, so not everything applies to everyone, but some simple things like "never send passwords in cleartext" should apply to everyone.

reply

Robert
1 year ago

What a sham to knowingly use identical passwords across the net and then blame someone else for what you feel is poor procedure. I won't defend their procedure but I would suggest you not continuing known bad practices and blaming others.

reply

Peter
1 year ago

Frankly I think it is just stupid for a website to email me my account information and password right after I signed up. Why would I need that? I just signed up 5 minutes ago! Will I forget my password in those 5 minutes?

I too have been shocked when I receive an email with my password in plain text! While the chance of it being intercepted may be small, why take that chance?

I disagree with Jason. I would much prefer to receive a "reset your password" link if I forget it, than to have my account information mailed to me immediately or later.

reply

bobby scott
1 year ago

I don't remember any passwords -- I remember one RULE by which a robust password for a given site is to be generated using the domain name as input.

e.g.: take the word truck, append the number of letters in the domain name, then the second letter from the domain name capitalized, and then the second from last letter.

for ebay.com, the resultant password would be

truck4Ba

It does not solve the case of a single site's stupidity, but isolates each site so that even a compromised password can only be used at a single site and anyone knowing one password will have little insight into how to impersonate me elsewhere. And yet, my memorization burden remains fixed.

The last wrinkle is that I use a common password for all sites where my identity is not worthy of great protection, such as a BBS

reply

6087079
1 year ago

A friend of mine recently created this site to bring this issue to light:

http://plaintextshame.com/

reply

Bob Caswell
1 year ago

6087079, nice site, but a little short and missing Mahalo. :-)

reply

Tiger
1 year ago

"Here’s a better solution: ... crappy solution snipped ..."

"I’m no security expert."

Meaning I'm on security expert, but I'm not afraid to pretend like one on my blog.

And give users equally crappy advice.

Do you have any kettles laying around the house you call black?

reply

Aaron Wallentine
1 year ago

I agree that sending passwords in plaintext over email is a widespread insecure practice. All it takes is someone with a packet sniffer on a public network to see anything sent across. They can filter for packets that include the word "password" which password emails often do.

The issue is not whether someone has "hacked into your email"; I don't need your email password to sniff your email traffic being passed in plaintext on a public network.

And as for reusing passwords, I used to do this, but it's a bad practice. Now I use a password safe. There are many out there, but I use KeePass (keepass.sourceforge.net) - it's Open Source, highly secure, portable, and cross platform. (The main program is for windows, but there are compatible versions which use the same data file format for Linux and Mac OS X). It includes a built-in password generator, so I generate a new random secure password for each new site and save it in KeePass. I keep KeePass as a portable app on my USB Flash (Thumb) Drive that I keep with me, so I carry it wherever I need it. You use a master password to open up the encrypted password database in KeePass. So I only have to remember one password, and since it's only one, it can be a strong one.

And when I open it at home, I use a batch file that automatically makes a copy onto my hard drive, so I always have a backup in case my thumb drive gets lost or destroyed (which happened to me once - I accidentally destroyed one).

Use a unique, strong password for every site! It's a no-brainer if you have the right tools.

So if one of my passwords does get compromised by being sent in plaintext over the network, at least it's a unique password that has nothing to do with any of my other passwords.

I'm still trying to come up with a solution to sending passwords over email. Really, I just need to finally figure out how to encrypt my email with PGP. That doesn't solve sites emailing me my password, but I often find I need to send passwords to other people, and that solves that problem.

reply