Bob Caswell - Latest Comments in Bad Form: Companies Still Send Passwords via Email

Re: Bad Form: Companies Still Send Passwords via Email

Aaron Wallentine — Mon, 25 Feb 2008 18:17:20 -0000

I agree that sending passwords in plaintext over email is a widespread insecure practice. All it takes is someone with a packet sniffer on a public network to see anything sent across. They can filter for packets that include the word "password" which password emails often do.

The issue is not whether someone has "hacked into your email"; I don't need your email password to sniff your email traffic being passed in plaintext on a public network.

And as for reusing passwords, I used to do this, but it's a bad practice. Now I use a password safe. There are many out there, but I use KeePass (keepass.sourceforge.net) - it's Open Source, highly secure, portable, and cross platform. (The main program is for windows, but there are compatible versions which use the same data file format for Linux and Mac OS X). It includes a built-in password generator, so I generate a new random secure password for each new site and save it in KeePass. I keep KeePass as a portable app on my USB Flash (Thumb) Drive that I keep with me, so I carry it wherever I need it. You use a master password to open up the encrypted password database in KeePass. So I only have to remember one password, and since it's only one, it can be a strong one.

And when I open it at home, I use a batch file that automatically makes a copy onto my hard drive, so I always have a backup in case my thumb drive gets lost or destroyed (which happened to me once - I accidentally destroyed one).

Use a unique, strong password for every site! It's a no-brainer if you have the right tools.

So if one of my passwords does get compromised by being sent in plaintext over the network, at least it's a unique password that has nothing to do with any of my other passwords.

I'm still trying to come up with a solution to sending passwords over email. Really, I just need to finally figure out how to encrypt my email with PGP. That doesn't solve sites emailing me my password, but I often find I need to send passwords to other people, and that solves that problem.

Re: Bad Form: Companies Still Send Passwords via Email

Tiger — Thu, 14 Feb 2008 02:51:29 -0000

"Here’s a better solution: ... crappy solution snipped ..."

"I’m no security expert."

Meaning I'm on security expert, but I'm not afraid to pretend like one on my blog.

And give users equally crappy advice.

Do you have any kettles laying around the house you call black?

Re: Bad Form: Companies Still Send Passwords via Email

bobcaswell — Tue, 12 Feb 2008 17:44:40 -0000

6087079, nice site, but a little short and missing Mahalo. :-)

Re: Bad Form: Companies Still Send Passwords via Email

6087079 — Tue, 12 Feb 2008 16:16:56 -0000

A friend of mine recently created this site to bring this issue to light:

http://plaintextshame.com/

Re: Bad Form: Companies Still Send Passwords via Email

bobby scott — Tue, 12 Feb 2008 13:13:58 -0000

I don't remember any passwords -- I remember one RULE by which a robust password for a given site is to be generated using the domain name as input.

e.g.: take the word truck, append the number of letters in the domain name, then the second letter from the domain name capitalized, and then the second from last letter.

for ebay.com, the resultant password would be

truck4Ba

It does not solve the case of a single site's stupidity, but isolates each site so that even a compromised password can only be used at a single site and anyone knowing one password will have little insight into how to impersonate me elsewhere. And yet, my memorization burden remains fixed.

The last wrinkle is that I use a common password for all sites where my identity is not worthy of great protection, such as a BBS

Re: Bad Form: Companies Still Send Passwords via Email

Peter — Tue, 12 Feb 2008 10:56:25 -0000

Frankly I think it is just stupid for a website to email me my account information and password right after I signed up. Why would I need that? I just signed up 5 minutes ago! Will I forget my password in those 5 minutes?

I too have been shocked when I receive an email with my password in plain text! While the chance of it being intercepted may be small, why take that chance?

I disagree with Jason. I would much prefer to receive a "reset your password" link if I forget it, than to have my account information mailed to me immediately or later.

Re: Bad Form: Companies Still Send Passwords via Email

Robert — Tue, 12 Feb 2008 09:50:31 -0000

What a sham to knowingly use identical passwords across the net and then blame someone else for what you feel is poor procedure. I won't defend their procedure but I would suggest you not continuing known bad practices and blaming others.

Re: Bad Form: Companies Still Send Passwords via Email

Phil — Tue, 12 Feb 2008 09:03:43 -0000

Check the OWASP Guide's Authentication chapter for a long list of best practices. For password resets:

Send a message to the user explaining that someone has triggered the password reset functionality. Ask them if they didn’t ask for the reset to report the incident. If they did trigger it, provide a short cryptographically unique time limited token ready for cut and paste. Do not provide a hyperlink as this is against phishing best practices and will make scamming users easier over time. This value should then be entered into the application which is waiting for the token. Check that the token has not expired and it is valid for that user account. Ask the user to change their password right there. If they are successful, send a follow up e-mail to the user and to the admin. Log everything.

All-in-all a good chapter. The problem with best practices lists is that different websites will require different levels of security, so not everything applies to everyone, but some simple things like "never send passwords in cleartext" should apply to everyone.

Re: Bad Form: Companies Still Send Passwords via Email

noyb — Tue, 12 Feb 2008 09:03:42 -0000

I work in IT security and it is our policy that it is ok to email passwords as long as they are seperate from which system they log you in to and your username for that system. Keep those 3 pieces seperate and one alone will get you nothing.

Re: Bad Form: Companies Still Send Passwords via Email

Derek — Tue, 12 Feb 2008 08:06:34 -0000

I really hate it when ANY company does this. Only last week I ordered a product from http://www.devexpress.com/ and they did this very thing! Not only that but they do not allow you to purchase any of their products using public email accounts i.e. gmail/yahoo etc. Ludicrous I tell you ludicrous!

Re: Bad Form: Companies Still Send Passwords via Email

Pat — Tue, 12 Feb 2008 07:32:31 -0000

I prefer the convenience of getting my old password sent to me... I guess if you feel more secure with another method then you also don't mind having your nail clippers seized at the airport and having to carry small amounts of liquid in clear plastic baggies when you fly.

It's about usability, I suppose someone could randomly pick off an email coming to me with my password in it, but if they can hack into my circuit city account or post under my name at some forum... who cares?

Banks/credit card companies have to be more secure (and are)... that's all I care about!

Re: Bad Form: Companies Still Send Passwords via Email

Danijel — Tue, 12 Feb 2008 05:53:56 -0000

Here's my solution:

When you create a password the system makes a hash (using md5 or sth) and stores that in its database. Then when you log-in, the system calculates the same has of the password you entered and compares it to the hash in the database.

The good thing about this solution is that noone, except the user, will know the password.

Re: Bad Form: Companies Still Send Passwords via Email

First Poster — Tue, 12 Feb 2008 04:29:03 -0000

Is it a perfect solution? No.

Where does this contruct come from? I see it fairly often recently. Do americans learn this at school? This construct usually appears somewhere in the middle of an essay. "Is it blabla? Yes" "Is it blablabla? no". Freaky as the FED.

Re: Bad Form: Companies Still Send Passwords via Email

Frank — Tue, 12 Feb 2008 02:23:53 -0000

Uh Logan, this is not a proper way to do password resets. It is vulnerable to an e-mail account breach or to sniffing of the e-mail while it is being sent, which are most of the reasons passwords via e-mail were considered bad. (Breach limited to old e-mails being the only missing reason.)

Re: Bad Form: Companies Still Send Passwords via Email

Mangamuri — Tue, 12 Feb 2008 01:47:25 -0000

Even the popular MySpace website sends the password in thank you e-mail !! That's a good piece of work.

Re: Bad Form: Companies Still Send Passwords via Email

Logan — Tue, 12 Feb 2008 01:42:05 -0000

Sending passwords in plaintext via email is always a bad thing to do, even if its only during signup. Mahalo and others should know better!

General Rules
a) Passwords hash + salt in the database
b) Never send a password in email or display it on any web page.
c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).

Proper way to do password resets
a) Forgot Password with Email field
b) Link is generated sent to email address, which expires within a set amount of time and includes a randomly generated string
c) Clicking on link displays a form that allows user to change their password

(thanks mike koss, I edited and added to yours)

Re: Bad Form: Companies Still Send Passwords via Email

fresh — Tue, 12 Feb 2008 01:41:32 -0000

Anyone reading this who hosts at dreamhost - I just put in this feature request. You can go to your web panel and vote for it.

Re: Bad Form: Companies Still Send Passwords via Email

otto — Tue, 12 Feb 2008 01:01:23 -0000

I think it is a valid policy as long as the user is made aware.

Anyone who reuses passwords, even if it is just a password for random trash sites is at risk here of way more exposure than simply the login details to some search engine. If they are told when they enter the password that it will be sent to them in a plain text email, they can make the choice to use a different password and can fully understand how insecure it is (even if they SSL to their mailserver, who knows where else that email goes).

That being said, it is not exactly smart to reuse the same password on any random sites as they could easily have the passwords stored in an insecure method or in a place readable by employees. I could even foresee an elaborate phishing scheme where instead of a fake site that they want to steal credentials for, they just create what looks like a cool new version of something. Imagine some myspace phishers putting up some screenshot mock ups and getting people to enter a username/email/password in order to join the upcoming open beta of the "next big social networking site"

Re: Bad Form: Companies Still Send Passwords via Email

John — Mon, 11 Feb 2008 23:26:12 -0000

I have to agree with David. The best is to use the same simple password for all those sites you have nothing confidential on. For the rest, I use a combination of letter, numbers and special characters.

Re: Bad Form: Companies Still Send Passwords via Email

bobcaswell — Mon, 11 Feb 2008 22:00:24 -0000

Frans,

Not sure if we're talking about the same thing, but I wanted to clarify that Mahalo does still send your original password to you in an email right after you create an account. So your password is still open / unencrypted / in your email / on multiple mail servers, etc. Jim is simply saying that Mahalo doesn't store the open versions of passwords, but they still send them.

Re: Bad Form: Companies Still Send Passwords via Email

Frans — Mon, 11 Feb 2008 21:52:08 -0000

Thanks Jim. Jason made it sound like you would get your original password send to you when you retrieve it.

Re: Bad Form: Companies Still Send Passwords via Email

bobcaswell — Mon, 11 Feb 2008 21:47:17 -0000

Jim-

Thanks for the details! You've taken away about 30% of my original concern. :-)

Re: Bad Form: Companies Still Send Passwords via Email

David — Mon, 11 Feb 2008 21:03:44 -0000

I tend to use a single strong password for stuff involving my money (including my email b/c stuff involving my money goes there). For things like mahalo, etc. I use the same password convention for each site, but not the same password. It makes it easy enough to remember without giving away the store.

Re: Bad Form: Companies Still Send Passwords via Email

Jim R. Wilson — Mon, 11 Feb 2008 20:11:19 -0000

I'd like to draw a distinction between /sending/ a plaintext password and /storing/ a plaintext password.

Mahalo sends the plaintext password in the account confirmation email, which is available to the script at form-submission time. The password is actually stored salted and hashed according to accepted storage practices.

There is no way for an insider or attacker to recover a password from the system short of brute-forcing one password at a time. The applied salt makes rainbow-table attacks unfeasible.

The credential storage mechanism is part of the underlying MediaWiki infrastructure (same technology which runs Wikipedia), is open-source, and we have not altered it.

-- Jim R. Wilson (Software Engineer for Mahalo.com)

Re: Bad Form: Companies Still Send Passwords via Email

Mike Koss — Mon, 11 Feb 2008 15:19:53 -0000

I agree, what Mahalo is doing is NOT a best practice. Web sites should:

a) Never stored your password in the clear (just a hash of the password than can be used to verify login).
b) Never send a password in email or display it on any web page.
c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).
d) Provide a "Reset Password" page so people can get a link sent to their email account to re-create a forgotten password.