DISQUS

Bob Caswell: Pet Peeve: Why do companies still send me my password through email?

  • J · 2 years ago
    Well, the core problem is to use the same password everywhere. I realize that it's common to do so but you can't legitimately complain about e-mailed passwords if you are making the more fundamental security mistake first. Two wrongs don't make a right.

    That said, the "correctness" of selected feature is a balance between benefit and risk. For most people e-mailed passwords offer a risk is lower than the convenience. The real issues are 1) risk and benefit are arbitrary and individually defined by the user, not the website creator and 2) no alternative risk/benefit choice is offered by the website creator. In the first case the problem space is ignored and in the second the solution space is ignored.

    I've used websites where e-mailed passwords were *not* used for password recovery and the chosen alternative was so onerous compared to the value of what I was trying to get done that the *lack* that e-mailed passwords both incensed me and reduced the value of use the website to me.
  • Tara · 2 years ago
    I agree. I too sign up with one password, wait for the infamous email to show up in my inbox, then go *back* to the site to change it into something else (in the hope that they don't email the changes to me as well). However I always use a generated password, never an "old standard"

    Emailing passwords is bad form, especially if you can't opt-out of the password being emailed to you.
  • Bob Caswell · 2 years ago
    Thanks, Tara, I agree that emailing passwords is bad form and that an opt-out would be a fine solution (but no one ever listens to me!).

    And J, to quibble a bit, I have to say that I don't necessarily agree that "the core problem is to use the same password everywhere." The problem I'm talking about (passwords being emailed) would still be the exact same problem even if I picked a brand new password exclusively for my new login. If I care anything for my privacy / security, I don't want it emailed to me, plain and simple.
  • Avinash · 2 years ago
    I'm completely agree with whatever you wrote in this article. Sending password through email is not a good business practice.

    Anyways, I don't care even a few companies do that because it's my habit to use a 5 to 8 characters long password during the signup process. No matter if it's a big company like IBM or a new startup, I do change my password after receiving the account activation email.

    Even in the current Web 2.0 era, I've experienced a few Web 2.0 startups sending passwords included in their account activation email. They really need to understand that this is the year 2007!
  • Tara · 2 years ago
    Just thought I'd follow up here. Have a look at this:
    http://passpack.wordpress.com/2007/04/06/how-sa...

    An online Password Manager that sends you your master password via email. (I know it's not nice to point a finger like this, but I'm honestly shocked)
  • Bob Caswell · 2 years ago
    Good info, Tara, thanks.