Ask Slashdot: Dealing With Passwords Transmitted As Cleartext?

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?

Responses

[neminem]

"How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail?"

Not *that* often, but more often than you would think. (See plaintextoffenders.com - they've got hundreds of examples.)

"What would you do if this type of situation happened to you?"
What I do when this happens:
1. Take a screencap of the email, black out the username and password, and send it to plaintextoffenders.com
2. Contact the site admin, let them know that you just did that, and why it's such a bad idea. Link them to http://plaintextoffenders.com/...
3. Immediately change your password on the site to something stupid that would definitely not even *remotely* help an attacker guess what sort of passwords you might use on other sites, since if their password security is that awful, chances are their security is awful in other ways too.

Re:Responses

[Zontar_Thing_From_Ve]

"How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail?"

I see this and people sending both public and private PGP keys to outsiders more than I should from other companies. I assume it's because in general American businesses have devalued IT for so long that they're getting exactly what little they pay for now with barely trained and barely competent people who don't know anything about security.

Re:Responses

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

Re:Responses

[PraiseBob]

For the first example, this will happen anytime a site has to generate a password for you, that is to say, millions of times a day. The site has to get the password to you, and can do so by generally email, sms, telephone call, or an in person visit. The same 3 letter agency is monitoring all of those electronic methods, so it really doesn't matter which you use, but email is the cheapest by far. The local network/pc is always going to be the weakest link, so use https for webmail. Splitting sensitive information into two emails makes it much harder for the bad guys. Enough so that it is standard practice for the banking industry and is part of PCI compliance transmitting credit card numbers.

For the second example- so what? It's a one-time temporary password that you picked yourself. The risk of a compromise is minimal, the reward for a hacker is minimal. Is it poor security practice... maybe? But you have to weigh the cost-benefit ratio.

Re:Responses

[chihowa]

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

Seriously? Let the user enter their own password at account creation and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address (if that's even a necessary step... it isn't always).

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway? What possible benefit does that serve?

Re:Responses

[alexhs]

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway? What possible benefit does that serve?

For example, it prevents you to create a throwaway account with the e-mail address of someone else.

Re:Responses

plaintextoffenders.com

/thread

Re:Responses

Generally the better way to do this is to generate a single use token and embed that into the link you email to them. Set a really short expiration time on the single use token (systems I have worked on do like a 20 minute timeout). When they follow the link they set up their password. If you want a bit more security than this you could do something like text the user the token instead of baking it into the URL. When they click the link they type in the PIN from the text and can then set their password. So they have to have access to the persons email as well as their phone to be able to set the password and access the site. With most people not locking their phones though and everyone having email set up on their phone this doesn't necessarily give more security for lazy users, but adds quite a bit for those that are a bit more conscientious.

Re:Responses

[rainmaestro]

Not all accounts are created directly by the user. Half the systems I work with on a daily basis have no signup feature. Accounts are created by site admins. The most common way I see this handled is for the site to generate an OTP and send it via email to the user.

Re:Responses

At my company the security precautions have become a parody. 32 char mixed case, letters numbers, expiring every 4 hours. You have to get a new one every 4 fucking hours.

Encase the computers in cement. Then, no one can break into them.

It would be much easier if we just tracked down the fucking hackers and shot them on the spot. Do that for a few years and hacking would become a very undesirable profession.

Re:Responses

[sexconker]

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

Don't send the fucking password in plaintext.
Don't store the fucking password. If your database/application can read it, then it's decrypted at some fucking point. Don't fucking do it.

User creates account.
User provides password, username, email, etc.
You generate salt.
You generate a UUID (emailverificationUUID).
You create DB entry with username, email, HASH(password + salt), salt, emailverificationUUID, emailverified (0).
You email the user "Your account has been created, please click this link to verify your email address.".
Link contains the UUID. When clicked, the site performs normal login processes (prompt login if not logged in already) and then verifies that the UUID matches the UUID stored for the logged-in user, and sets emailverified to 1 for that user if so.

Re:Responses

[Hotawa+Hawk-eye]

For the second example- so what? It's a one-time temporary password that you picked yourself. The risk of a compromise is minimal, the reward for a hacker is minimal. Is it poor security practice... maybe? But you have to weigh the cost-benefit ratio.

For someone who knows not to use the same password for multiple sites, it's a one-time temporary password.
For someone who DOESN'T know better, it's probably the same password they use for many or all other sites.

In this particular example, HOPEFULLY everyone applying for an entry-level IT position falls into the first of those categories. But if that site is used to collect applications for IT positions and other positions, the applicants for those other positions may fall into the second category and the sites shouldn't make it worse than it already is.

Re:Responses

[omnichad]

send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address

Did you read before replying?

Re:Responses

[ArcadeMan]

What's that got to do with cars?!

Re:Responses

[ArcadeMan]

At my company the security precautions have become a parody. 32 char mixed case, letters numbers, expiring every 4 hours. You have to get a new one every 4 fucking hours.

What's your estimate on the time lost by all employees for dealing with such precautions? Try to document that, with proof, and get a meeting with your boss(es). After they see the money wasted on being over-precautious, IT will probably calm down a bit. Even a new password every month would annoy the hell out of me.

Re:Responses

[tepples]

So how do you encrypt this UUID? And what do you send for a password reset?

Re:Responses

[omnichad]

If you don't salt your hashes, you're less likely to rust the undercarriage.

Re:Responses

Security standards say that you should not be able to decrypt the password. If you can, you are doing it wrong. You are supposed to store ONLY a salted hash. This should use an expensive hash function (in terms of CPU) to create. If you just encrypt the password and store it (and then can decrypt it and send it back to the user or something) then nobody should use your site.

Re:Responses

[Junta]

The UUID is discarded on first login. Additionally, the UUID is useless without the password/credentials.

Re:Responses

[RingDev]

[quote]So how do you encrypt this UUID?[/quote]

You don't. It's just a GUID or some other low collision rate hash.

[quote]And what do you send for a password reset?[/quote]

You send them a new UUID in a link. When the link is hit, the UUID resolves back to their account and they are directed to enter a new password, just like a first time user.

The combination of time (the UUID can be time boxed), activity (a successful login nullifies the UUID), and possession (control of the account's registered email address), and if you want to get really wild, knowledge of a security question, creates a scenario where there are no good purely technical solutions for the attacker.

An attacker could, in theory, create a colliding GUID for an account they know the name of (but not password), manually enter the UUID link, and set the new password (assuming there is no security question).

But if an attacker manages to consistently generate colliding GUIDs*, they have accomplished something so monumental that they should be heralded as the second coming of Steve Jobs or something.

(*Assuming the coders didn't decide to come up with their own GUID generation algorithm that is easily reverse engineered and seeded)

-Rick

Re: Responses

If they're changing the password every 4 hours, why not every minute, with a securid fob or similar. All that time wasted on 4 hour password changes should pay for a decent setup...

Re:Responses

But you have to weigh the cost-benefit ratio.

I don't know why this gets thrown out the window for some people just because it involves the Internets.

Re:Responses

[RavenLrD20k]

But if our Admins had to generate a new account every time a new customer needed one, when would they have time to play CounterStrike: Ghosts?

Re:Responses

[Bengie]

In the case of a password reset, if you change the password and email the new changed password, the password reset may have been requested by someone other than the account holder. Now the account holder's password is changed to something other than what the user expected. Going through account activation or a password reset will force the user to set the password. The system should NEVER change a user's password except to exactly what the user wants the password to be.

The difference is if you generate a one time use token and send it to the user for limited access to change their password, then you're using a one time use token. Yay, as expected.

The other way is to change the password to a random value and send this to the user. Similar to the one time use token, but your F'n abusing the password system to also act as a one time use token.

It doesn't seem like much of a difference, but it's a slippery slope and easier for mistakes to be had when you mix your authentication logic with your one time use logic. I've seem strange abuses or requests for abuse in my time. Make you cringe.

Re:Responses

[rainmaestro]

Real admins have macros. Every headshot triggers a script that creates a new account from a list (automatically built from incoming ticket contents of course).

Re:Responses

[Asgard]

No encryption -- generate a random string and store it in the DB as associated with the login id. All you care is that the user with email X receives the email and can provide the random string.

Re:Responses

[tepples]

Or to put it shorter: "Passwords and password reset codes go in separate fields."

I've implemented a similar system that keeps the hashed password and the one-time-use code in separate fields of the user table. I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.

Re:Responses

[alexhs]

Ok, here are some possible benefits over chihowa's proposal, for specific use cases.

- If the use case implies a system/"real" account rather than a virtual one (which I admit is a bad idea most of the time), the implementation practically comes for free: simply create an initially disabled account with a generated password. Particularly useful if the bunch of account creation doesn't actually use an e-mail account at all (say, university students accounts, with account names and initial passwords printed)

- You don't have to develop a different UI to differentiate account validation and regular password change.

- Some (web)mail applications are breaking URLs. Often times systems using generated URLs contain a link, plus a textual representation of the URL in case the link doesn't work (which usually means a text client), and sometimes some kind of pretty printer likes to add spaces after punctuation signs. With a short static URL and a password, you're minimizing copy/paste issues.

Re:Responses

[znrt]

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

my better suggestion is don't do that. i don't even need to know the reasons, because there can't possibly exist any valid one.

oh and if you built that site yourself ... a very good suggestion would be stop building sites, now. this isn't about skill, it's about basic understanding of network fundamentals.

get a professional, you can retain absolute control about how the site looks and what it does but considerably reduce the odds of screwing up that massively or damaging other people.

plus, considering you current status, a very good suggestion would be to take the site down and get it fully audited.

Re:Responses

[RavenLrD20k]

So how do you encrypt this UUID?

You don't need to. Paranoid about it? Wipe the UUID field from the database upon successful verification of the email so it can't be queried against in the future. However it would be better to just do a sanity check in the code that if there's a boolean 1 in the "emailConfirmed" field after querying for the UUID, just notify the user that the account has already been confirmed and doesn't need to be again.

And what do you send for a password reset?

An email to the address on file that has a link to the password reset possibly pre-filling the userID field, but I tend to make the user type that in themselves. If they don't remember the userID... then they'll need to know other pertinent information that the account was created with, otherwise new account time. After the password is reset, then send a confirmation that only states this fact and not giving any identifying information in it beyond that. The same thing you should be doing for any type of change made at the user's account level. If the user is changing their email address, send a confirmation to both the old and the new address that it has been changed, then also reset emailConfirmed to 0, regen the UUID, and force the user to verify the new address, following the same procedure as if it were the first time.

Re:Responses

[sexconker]

You don't encrypt the UUID. It's just a verification to make sure they know the UUID, which is universally unique, generated by you, and sent only to your database and to their email address. All this does is establish that they have access to the email address they supplied. If you do as I suggest and tie this UUID directly to the user entry, an attacker can't do anything with this UUID without ALSO knowing the user's login and password. Clicking the unique link or knowing the UUID is useless unless you can also login as the user to access their row in the user table.

For password resets, you generate a random password and salt, set it to immediately expire, and then tell the user that password. You leave the old hash and salt in place - the new stuff goes in separate columns until the switch is done by the user. This prevents users from being unable to authenticate if an attacker merely requests a reset, or if you trigger an expiration due to whatever policies you have in place.

Your login page should authenticate the user (using the original password OR the new temporary one). If the user used their old password and authenticated successfully, you can ignore the reset. If they used the temporary password, block all authorization until a new password is supplied by the user (only let them get to the password reset page).

On the password reset page, ask for a new password. Double check hash(newpass+oldsalt) against the stored temporary hash (do the same for the old regular hash too, if you want). If it's a match, the user is dumb and entered the temp (or old) password. If it's not, you generate a new salt and store hash(newpass+newsalt), store newsalt, reset the password expiration date, blow out the temp password, etc.

The trick here is telling the user the temporary password. This is often done with a unique link (using another UUID) that automatically skips the authentication portion and goes straight to the password reset portion for that user. This is extremely fucking dangerous because anyone with access to the email address can hijack the user's account. Despite this, this is how most site on the internet do it. Sending the temporary password in plaintext or not makes no difference because sending the link in plaintext is functionally equivalent. Your security at this point is hoping the legitimate user made the request, is the only one with access to the email address, and the narrow time window in which the temporary password / reset link is valid.

Security questions, pin numbers, RSA clocks, text messages, heuristics (matching IPs, browsers, etc.) all provide more security, but are useful against a MITM attack or cover the scenario where a user forgot the security answer, doesn't know their pin, lost the RSA clock (dongle or phone), changed phone numbers, moved, etc.

Re:Responses

[JenovaSynthesis]

4. Report them to the Feds for a Federal Education Records Protection Act violation.

Re:Responses

[peragrin]

I know of the doom version of PS for cou process deletion. But I didn't realize some made a counter strike admin portal. What happens when you tea bag some one?

Re:Responses

>over-precautious

No such word as precautious. It's either over-cautious or precaution.

Re: Responses

No it does not. Mailinator.

Re:Responses

[chihowa]

I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.

For account creation, you can do this by requiring that the user authenticate with their username and password to use the "login ticket". If they know all of the authentication details and have control of the email account, there's really no way to distinguish them from a legitimate user (from your limited perspective). That said, acquiring all of the account details (including the password) and gaining access to the user's email account in a short time window represents an attack that's only likely for an account on a very important system and you (I) wouldn't deploy such a system with email as the only means of verification.

Things are more difficult for password reset requests because the user doesn't know their login details, but that's a different scenario from the account generation one. You have to make security compromises in the name of convenience if you want a user to be able to reset their password from a link in an email alone.

Re:Responses

[ArcadeMan]

D'oh!

Re:Responses

At my company the security precautions have become a parody. 32 char mixed case, letters numbers, expiring every 4 hours. You have to get a new one every 4 fucking hours.

What's your estimate on the time lost by all employees for dealing with such precautions? Try to document that, with proof, and get a meeting with your boss(es). After they see the money wasted on being over-precautious, IT will probably calm down a bit. Even a new password every month would annoy the hell out of me.

Aside from the obviously hyperbolic comment of the GP, it is incredibly easy to to a maximum perceived value on password hassles. It is at most, a penny less than the price of a hardware keyfob, which start at $20 depending on how manys ervices you are trying to integrate, and go to $100 for the RSA ones:
http://www.amazon.com/SafeNet-IDProve-Card-Amazon-Services/dp/B00J4NGUO4/

Re:Responses

[DjReagan]

http://www.merriam-webster.com...

Definition of PRECAUTIOUS

: using precaution : precautionary

— precautiously adverb

— precautiousness noun

Re:Responses

[goarilla]

I don't really think it's all about competence. If you enforce the use of "complicated tools" (GPG)
you'll be perceived as working against the company. And your job could be on the chopping block next quarter.
Also while I think password hashing and salting should be mandatory I've received numerous calls from higher-ups wanting to know their "forgotten passwords".
So even that can that can be seen as you working against the bosses :(.

Re:Responses

[ovanklot]

See plaintextoffenders.com - they've got hundreds of examples

Thousands, actually. Really glad you guys are finding our website so helpful and I'm very happy this is the top comment :)

Thank you all for your support!

@omervk, PTO

Re:Responses

[neminem]

It is indeed super-helpful to be able to link people to it, thanks for running it! :) (That said, I swear I submitted something a couple weeks ago and haven't seen it yet - how long does it take, generally? :p)

Re:Responses

[ovanklot]

It can take a while to appear, simply because I queue posts for publication top make sure we have a steady stream of activity. It usually takes up to a month tops.

Re:Responses

[neminem]

Ah, that makes sense. Amusingly, you posted one this morning that at first I thought was mine, but nope, same type of site, but not the same site. (Makes me want to check all the *other* similar sites I have accounts with now. >.>)

Re:Responses

[ovanklot]

Please do and submit those that you find to be offenders :)

Simple

[juanfgs]

What would you do if this type of situation happened to you?

I'd continue using different passwords for different accounts and not being a whiny bitch about it.

Re:Simple

Don't mod down the angry bro just because he uses bad words.

The only safe assumption is to assume that no one handles passwords correctly. So you use a different password for every service. Use a password manager and let it generate random passwords for you.

The question one then to answer for themselves is if I assume they are not properly handling passwords, how much personal information is one willing to provide. You're on your own for that as everyone values information differently.

Re:Simple

How do you know he's angry? All I can tell from his post is that he's better grounded than the person who asked the question, and that he's a misogynist, as is far too common with the stuffed-into-lockers crowd here.

Re:Simple

[Coren22]

I assume that you speak of the word bitch in his post. I would like to point out to you that a female dog is a bitch, and yes, bitches whine.

Re:Simple

[juanfgs]

I don't really trust online password managers for the same reason I have a set of passwords which are slight variations from each other (following the same pattern) for accounts I don't care that much about or might be insecure. I memorize a few of random generated passwords for my main important accounts and keys ( I also have encrypted them stored in a usb key in the rare case I forget them).

If a service becomes important enough to have a secure password I generate a new random password for that (but it's really rare).

Many other work related passwords are stored in encrypted files in my hard drive.

This happens all the time

[sinij]

I am a security auditor, and this happens all the time. For non-IT company, If they changed default credentials they are already ahead of the curve.

It's most likely a sign of code age...

[Penguinisto]

It used to be scarily common, but I believe that it's slowly phasing out in favor of hitting a website where you can (re)set the password yourself after a couple of security questions.

I believe it's just a sign of old code (or an old coder) on the site. There may be cases where the guy writing the sitecode is inexperienced or incompetent, but I like to think that such cases are rare.

I think I only see a cleartext password sent via email like once every 10 requests now.

Re:It's most likely a sign of code age...

[ThatsDrDangerToYou]

It used to be scarily common, but I believe that it's slowly phasing out in favor of hitting a website where you can (re)set the password yourself after a couple of security questions.

I believe it's just a sign of old code (or an old coder) on the site. There may be cases where the guy writing the sitecode is inexperienced or incompetent, but I like to think that such cases are rare.

I think I only see a cleartext password sent via email like once every 10 requests now.

Hey, watch it pal. I was born and raised on '12345' and it's always worked out great for me. Now get off my punch card machine, er, I mean, lawn.

Re:It's most likely a sign of code age...

[ArcadeMan]

Hey, watch it pal.

(insert South Park pal/buddy/guy/friend reference here)

I was born and raised on '12345' and it's always worked out great for me.

(insert Spaceballs reference here)

Re:It's most likely a sign of code age...

Mailing the password back is just the icing on the cake. A website storing (and thus even knowing) your password is a sign of incompetence. It's been bad practice since way before there was even such a thing as a web or a website. No one currently working is that old.

Re:It's most likely a sign of code age...

[Qzukk]

That's the excuse for when it's automated, but I get plenty of encrypted files that come in an email with "password sent in separate email" in the body where the password is steve55 or some such thing.

Re:It's most likely a sign of code age...

I'm surrounded by assholes?

Re:It's most likely a sign of code age...

"security questions" You mean answer a question that everybody knows about you?
Yea, worst invention of the security industry.

I treat security questions as random passwords, if they force me to use them. However if I loose my password I would also loose those answers.

KeyPass (and similar)

[da_foz]

This was one of the reasons I started using a password manager. No need to remember passwords to sites I rarely use and much easier to avoid using the same or similar passwords in general.

Re:KeyPass (and similar)

*Keepass

Security

[corychristison]

Your first example is acceptable in my opinion, as that password was probably random and (essentially) single use. After logging in, you should immediately change the password to something you can remember.

The second example, however, is a big no-no in my books. I develop web based applications for a living. The only time we send a password over e-mail (or SMS) is when a user has locked themselves out of their account, and are using the account recovery tool to regain access. This is how we handle it:
1. Click on "Forgot Password"
2. Enter your e-mail address (and username if different from e-mail address), click "Begin Recovery"
3. Send an e-mail with a verification URL for them to continue the process, this is to confirm they actually are the owner of the email address, and also to weed out people trying to use the recovery process maliciously.
4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.
5. Upon answering the questions correctly, you will be e-mailed a single-use password you can log in with.
6. Upon logging in, you are required to change your password to something you can remember (or store in a password DB, like you should be doing).

I know it's long and cumbersome, but it works.

Re:Security

[Zumbs]

4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.

That one would leave me out. Given how "security questions" have been handled in the past, i.e. to be anything but, my response to that sort of thing is to type in random text and usually a lot of it. I also don't see how it increases the security. If the email address of the user has been compromised, it is likely that the intruder would have an easy time finding the correct answers to the questions. In your example, there is actually also no need to send a password to the user. If the questions are answered correctly, you could send the user directly to step 6. Indeed, most recovery tools that I have used include steps 1, 2, 3, 6.

Re:Security

[corychristison]

I see your point. We make it abundantly clear what the security questions are for upon registration, and encourage the users to answer correctly. The questions we ask are not something that would normally be found in a users inbox, and most average users do not index and archive their e-mail. I do, personally, but I archive anything older than 2 years locally on my workstation(s).

We'll consider the idea of skipping of sending a new password to the user. Thanks for your input.

Re:Security

[Hardhead_7]

I'm OK with actually secure security questions. What High School did I go to? Well, I live in Smalltown, NC so it turns out to be Smalltown High. That's a dumb one. Who was my first grade teacher? That's a lot harder info to track down.

Re:Security

[CrimsonAvenger]

Given how "security questions" have been handled in the past, i.e. to be anything but, my response to that sort of thing is to type in random text and usually a lot of it. I also don't see how it increases the security. If the email address of the user has been compromised, it is likely that the intruder would have an easy time finding the correct answers to the questions.

Use a password manager.

For secret questions, make up an answer, note the answer in your password manager.

Good luck with monitoring email to figure out the answers....

Re:Security

[Bert64]

Not necessarily in these days of social media... A lot of people have Facebook accounts and will have added relatives or people they went to school with...
For your example, you already know the school, so you find out a list of their teachers (often published online) and try them all, and if the attacker knows your age they can narrow it down further... Either way there's a relatively small number of possible answers.

Re:Security

I know it's long and cumbersome, but it works.

What you meant to say is "we don't get complaints". It's not the same thing.

Re:Security

[lq_x_pl]

A clever permutation on the security question thing is to pair up irrelevant answers with standard security questions. (the examples that follow are not the pairs I use...)

Model of first Vehicle -> Futurama

Where did you get engaged -> IsaacAsimov

Name of first grade teacher -> polyamory

Favorite book -> Ethernet Cable

and so on.

Re:Security

I see your point. We make it abundantly clear what the security questions are for upon registration, and encourage the users to answer correctly.

Security questions have repeatedly been proven to be entirely useless as a form of protection (aside from the simple fact that you are providing an additional attack vector, they are both easier to guess and easier to harvest through social engineering than passwords). This is the stone age way, I find it staggering you can seriously sit there pretending what you just described is a Good Thing. I haven't subscribed to a website that required a security question since the 90s.

Re:Security

[Cro+Magnon]

OTOH, I don't even remember who my first grade teacher was.

Re:Security

You don't need to type in random text. You can be more methodical about it and still be secure. For example:

Security Question: What was your mother's maiden name: Answer: Fuckyou
Security Question: What was the model of your first car: Answer: Fuckyou

See, no problem. The miscreant cannot reset your password because they would have answered ZumbsMom to the first one and Pinto to the second.

Re:Security

[BitZtream]

You haven't been developing web apps very long, have you?

Steps 5 and 6 are horrible from a UX perspective and actually lower security a tiny bit.

By emailing out a single use password you make it possible for someone to eaves drop on the email train and login to your site using the single use password that you sent over email ... in clear text, over a system that may end up easily being stored on disk and snoop-able on many computers.

There is absolutely no reason to email them the password, you've already verified the email address is viewed by the user, doing it again just exposes that information to other people who may not know the users 2 security questions, but do already have access to the users' email.

You've effectively made your security questions useless if someone hacks the email account in the first place, which is often the case before using that to spider out and discover other services the user has. (You check the users sent/inbox/archive for emails from certain email addresses that are used by various services and can quickly tell the user does use specific services.)

Emailing a password is ALWAYS BAD PRACTICE.

ALWAYS.

Did you hear me? ALWAYS.

When you think you've figured out a way to make it 'safe'. Jab an unsharpened pencil in your eye as punishment and remember: ITS ALWAYS A BAD IDEA TO EMAIL PASSWORDS.

I'll go ahead and not bother pointing out how bad of an idea 'pre-defined' security questions are at this point, seems like you probably need to do some brushing up one security practices from someone who knows a bit about what they are doing. FFS, there are frameworks for every major web dev environment for user auth recovery. You shouldn't even be rolling your own.

Re:Security

[Zumbs]

I considered something like that. Then it occurred to me that it was basically like having an extra password to remember.

Re:Security

[Zumbs]

Good point. I will take your suggestion under advisement.

Re:Security

[bvimo]

I know the predecessor of my first school teacher, we're now quite good friends, but I don't know her replacement. I think she was tall and had dark hair. Which from the perspective of a 4 year old is quite a few women :P

Re:Security

[corychristison]

Wow. Anger problem much?

Re:Security

Get rid of the security questions. Christ, why does this even need to be said to a person who develops web applications for a living?

Re:Security

Of course if you lost the password, which you stored in your password manager, then you also lost those questions.
I do the same as you, but it is not a good solution.

Re:Security

[BitZtream]

Yes.

People who think they have a clue and are clever ... then decide to share their awesomeness and cleverness with others in a way that makes us all worse off ... yes, that makes me angry.

But hey, you go ahead and deflect. No sense in acknowledging the problem and doing something about it, you go ahead and pretend you've done nothing wrong and I'm the bad guy for pointing out how you're just as stupid as the article you're replying to ... but you don't even realize it or why, and you're bragging about your poorly thought out methods.

You think you know what your doing and don't, and on top of that you've decided to attempt to corrupt other people with your broken methods. You are the definition of a security problem.

Re:Security

[corychristison]

I have yet to hear any a solution to this problem from you. So far just a repetitious whining about how what I wrote is just so horribly broken. I see even worse solutions implemented in sites that may cause even more havoc in a persons life, such as financial institutions, and government departments.

What would you do? How would it be any better? Please provide full details. If all you are going to do is bitch and whine but not bring any solutions to the table, you're even WORSE than me. At least I'm making an effort.

Re:Security

The one I hate is Mother's maiden name. I don't know how hard it would be to find in most cases, but in my case, it's my middle name. Posting anonymous for obvious reasons.

Assume the worst

I just assume that every system is insecure and try to isolate fallout when one of my passwords is compromised. Specifically, use a different password for every auth system. That way, you minimize damage when one is inevitably compromised.

That being said, I think we should really have stricted laws in place that require companies to not store their users' passwords in clear text, so we have a legal recourse against this kind of insane practice.

Does this count?

What about a college resetting your password to something to the last four of your SSN and sending it in plain text via email?

Have to do this all the time.

[Lumpy]

In ham radio command and control over remote digital ground stations all have clear text passwords because it's against the law to encrypt on ham radio bands. So every password is a single use.

Today, if I connect to the digipeater that is near me I will use the password S4tA12fDg
and it will work once and only for a certain window for that single login to happen.

Any company worth anything would do the same. Here is your link, here is your one time use password, you had better get the file in the next 20 minutes or that password will not work.

Perfectly secure for simple crap that really has zero value like a school transcript.

Re:Have to do this all the time.

[msauve]

"In ham radio command and control over remote digital ground stations all have clear text passwords because it's against the law to encrypt on ham radio bands. "

No, it isn't, at least in the US. It's illegal to use transmit "messages encoded for the purpose of obscuring their meaning," but the meaning of a password exchange is not obscured when it's encrypted. The meaning is user authentication, not the actual text of a password.

Re:Have to do this all the time.

I just thought I should clarify this a tad bit for non-hams. (but the rotating password you provide is a good way to go)
It is not permissible to encrypt the message in a way which obscures the meaning, but can in a non-obscure way to verify the user is authorized. This is still not common, but possible. One such method with digital modes is to have the user use a private key to sign the message, and the control operator maintaining the station can have the corresponding public key. In a fashion similar to Echolink, an Amateur VoIP system, an operator can be verified by the service before being granted access.
Others have argued that on modes such as HSMM you can use WPA2 encryption as long as you share the key with any licensee who requests it, but this is still dubious, FCC hasn't said much on it, and the point of no encryption is that you can see who is talking with who.

There is one exception to the encryption rule, and that is for telecommand of Space stations on the Amateur Radio service. However, that space station cannot encrypt data back Down to Earth.

73!,

ke5tuz
(anonymous coward only because I'm on a corporate proxy which, while not prohibitive of slashdot, will log passwords). Normally I'd post under DaJJHman

Re:Have to do this all the time.

Perfectly secure for simple crap that really has zero value like a school transcript.

Yeah, except sometimes those school transcripts have useful information, like full name, address, DOB, SSN, parents names...

Re:Have to do this all the time.

[Tolkienite]

ke5tuz (anonymous coward only because I'm on a corporate proxy which, while not prohibitive of slashdot, will log passwords). Normally I'd post under DaJJHman

Well, you silly rabbit, that's why we use SSL! So corps won't be able to listen to our passwords!
Of course, this being a geeky site, it fully supports https.. oh wait...

I used to see that all the time

[HangingChad]

Before NMCI came along, I was tasked with taking over a mapping application for the Navy and discovered the app was sending admin credentials in clear text in the URL string. Instead being of grateful I found the obvious sloppy coding they accused me of trying to pad my billing with make work and blaming the previous programmer. When I explained their application was crap and a giant security hole they would say, "Well, it works for us."

So I totally understand how apps like that make it online.

Typing password in wrong field

You ever type your password into the username field by accident and hit enter and so it does get transmitted and enters the server log as a failed attempt with username = YourPassword

Ouch. Have to change then.

Re:Typing password in wrong field

I HATE it when I do that. Granted, if they can read the server log, they probably don't need my login password.

applying for a job online sucks in many other ways

applying for a job online sucks in many other ways I hope you hear back from the real IT person and are able to send them an resume that is not lost in a bot system or is loaded with keywords to get past them.

Republicans are stupid

That is the reason their kind does this. They rule the vast majority of corporations so they force poor security practices from the top down. It is the way of their kind.

Re:Republicans are stupid

Republicans are stupid?
We didn't elect obama, who will go down in history as the worst president this country has ever had - even worse than the peanut farmer! His "enlightened" leadership has transformed the USA into a third-world country; just read the news (and I don't mean the yellow rags like the NY Times or Huffington post or CNN). Try some international sources, you will see what a joke this country has become.
(if this post does not get "edited" or deleted)

Re:Republicans are stupid

> president this country has ever had

Considering he was awarded a Nobel Peace Prize just for his potential shows he is maybe the greatest human that ever lived. He went from never having a real job and no experience almost overnight to the leader of the free world. No one has come from no experience to that position so fast. He is amazing. It is only racists that hate him and call him names like ape that don't like him.

Concern not warranted

[dfetter]

If you check with black hats, you will noticed that there are two tactics that they use approximately never:

- network packet sniffing, and
- break-ins to email

What they're saying by this is that passwords sent in the clear are not an interesting target.

Just trying to bring this conversation back down to earth.

Re:Concern not warranted

[JaredOfEuropa]

If passwords are sent in the clear, they are kept in the clear (unless they are one-time randomly generated passwords). And if you check with black hats, you will note that they steal password files all the time. In most cases they'll end up with password hashes, which means they can spend some time and computing power to throw a dictionary at the file and see if any semi-obvious passwords come out. But if passwords are stored in the clear, they end up with everything, no matter how strong your password. And if you use that same password on multiple sites, you'll be in even more trouble.

Re:Concern not warranted

If passwords are sent in the clear, they are kept in the clear (unless they are one-time randomly generated passwords).

Not true at all. The emails could be sent with a non-hashed version of the password prior to hashing and storing it during initial registration. Any encryption algorithm that is not one-way could also be stored encrypted and later decrypted.

Re:Concern not warranted

Actually hijacking an e-mail account is a method used multiple times by black hats to take control over someone's cloud account.

Just one example:

https://blog.cloudflare.com/the-four-critical-security-flaws-that-resulte/

Re:Concern not warranted

If a site used TLS to send the info to the E-mail provider, and the E-mail provider provides 2FA [1], then other than a break-in on the E-mail provider's side just during the interval a password change is going on, sending in plaintext is not insecure.

But: It should not send your decrypted password. Instead, it needs to provide you with a way to change your password. The password, once entered, should be hashed with a salt and stored in a hardened instance, preferably encrypted at every link (the backend application encrypts the hashes, the DB uses encryption to protect against attacks on the SAN level, etc.)

[1]: My "free" [2] accounts all have 2FA enabled. None of the ones I pay for have this option. Ironic that.

[2]: TANSTAAFL. If you want privacy sending/receiving from a free account, use an encrypting MUA. However, for a spam dumping ground, might as well use their storage for junk mail and maybe sift through it every so often.

Re:Concern not warranted

Speaking as someone who was around before hats were invented - you take and store EVERYTHING no matter how uninteresting because there's statistical information.

Re:Concern not warranted

Just one small clarification. "If passwords are sent in the clear, they are kept in the clear (unless they are one-time randomly generated passwords)." This isn't always true. The passwords can be stored with reversible encryption or in clear text. Though I guess if someone can steal the password database they probably have enough access to grab the encryption key as well.

Re:Concern not warranted

[bill_mcgonigle]

Right - the "head of the IT department" was like, "OMG another self-righteous clueless nerd who doesn't understand risk analysis."

There is something that needs fixing here, though - the OP needs to get counselling for his control issues.

Re:Concern not warranted

If passwords are sent in the clear, that absolutely does not mean they are kept in the clear. Unless you are referfing to ones email application. So, if someone had access to your desktop or password to your gmail, they could get that password... and probably a lot more. But the password is still encrypted in the website's database. They simply "unencrypt" the password prior to sending in the email. You could argue that one-way encryption be used. But the password is not in plain text just sitting there waiting to be stolen.

IMHO, just a tad bit of an over-reaction here. Nothing to see. Move along.

Re:Concern not warranted

[JaredOfEuropa]

I suppose you're right: an email with password could be sent during the registration process. As for using encryption for password files that isn't one way, I consider that to be bad practice. The decryption key will have to be kept on the live system, where it can be stolen just like the password file, or the serice could even be exploited to give up the key or decrypt a password. Better if that wholly unneccessary operation is mathematically (nearly) impossible.

Re:Concern not warranted

[LDAPMAN]

Really secure systems use HSMs (https://en.wikipedia.org/wiki/Hardware_security_module )

This means you can't steal the key from a live system.

Re:Ummmm...

[corychristison]

In 2015, passwords should be stored in a one-way hash. Preferably in the PBKDF2 format.

TLS

Do you know if it was sent by TLS? Frequently encryption is disabled if opportunistic TLS is available since encrypted e-mail can be quite a hassle.

FAO auditors the information + company regulator?

[Bruce66423]

If the company is in any sort of regulated sector, this should be reported to their regulator

If the company is big enough to have an auditor - and that's pretty small - they should be informed

If it's a European company, then the Information commissioner https://en.wikipedia.org/wiki/... or the equivalent should be notified. This is clearly unsatisfactory behaviour

Because it doesn't matter

No one gives a fuck about your brother's transcript. It is not Important. On your job app, can you change it? I bet you can which nullifies your whining. If it was your bank account, yeah complain, but don't waste other peoples time on pedantic shit that doesn't matter.

Re:Because it doesn't matter

You idiot. You're the one wasting time on slashdot. It was your choice to come here, read the summary, and then comment on it. All these things were choices you made. Way to be a complete and total retard.

Re:Because it doesn't matter

Same AC you replied to. Allow me to make the same statement in a less confrontational way. I admit I was a bit over the top on the first go around.

Security should be commiserate with the damage that a breach may cause and the desire to commit the breach. Passwords distributed in plain text may be perfectly acceptable depending on the data they are protecting.

A leaked transcript is not particularly damaging to an individual (assuming they didn't lie about it) nor a very popular target (unless they are a politician). Therefore a plain text password is sufficient to prevent casual snooping.

A job application site is not particular interesting either but may be if it contains your SSN. That said, the individual applying generally has the ability to change their password before entering sensitive information. Therefore, changing your password on the first login should provide a sufficient protection from a moderately sophisticated attacker, i.e. the initial plaintext password is not a cause for concern.

Access to a bank site would be damaging to the individual attacked and valuable to the attacker. A network sniffer could gain access using the plain text password and do serious harm/make profit. This is true even if the attacked were to change their password and quickly and possible. Therefore a plain text password is unacceptable.

If you go to your boss and say the whole IS system is insecure you will not get funding to fix real issues. Instead, if you go to your boss and say I need a smaller amount of funding to fix a potential security problem in the credit card processing subsystem you have a high probability of getting the funding. There is a common problem of arrogance and crying wolf within the IT/IS community. We get distracted by being perfect and forget about being good enough.

FAO of inspector general - copy to Congress

[Bruce66423]

The inspector general of the navy should be informed, with a copy to the chairman of the armed services committee. Then run away. Fast...

Re:FAO of inspector general - copy to Congress

[Moof123]

Whistle blowers are prosecuted vigorously and do not get the benefit of the doubt.

When dealing with a government entity you should probably do nothing, as the risks outweigh the rewards at this time. If you still feel like speaking up, raise the issue with your boss in one email, carefully and politely, and file a hard copy of the email somewhere safe. Do not go up the food chain, do not go to the press. If there is a crap storm the hard copy may save you, but even that is not assured.

The default position should be to protect yourself and your family, and not stick your neck out. We have too many examples that show that even the best intentions may result in the messenger being vigorously prosecuted.

Re:FAO of inspector general - copy to Congress

[xombo]

If you point out government waste or find out that the security practices required by the government contract were not met you can actually receive a % payment for the value of the difference won back in court. Try and work that route instead of just whistle-blowing. If you find the government was over-billed for services that weren't rendered (i.e. security) then you have a real case and there are official channels through which you can work.

Re:Ummmm...

True, but what the OP doesn't understand is that PBKDF2 could very well be used to store the password in the database and they are just sending the email, securely over SSL, with a non-hashed version of the password before storing it hashed. It's pretty common during registration processes. Whether it's a good idea or not depends entirely on the application/business.

never reuse passwords

[YesIAmAScript]

It's your only defense. Once a password is sent in the clear it's ruined for other uses. So you must assume this will happen and never reuse one.

Re:never reuse passwords

[Cro+Magnon]

Generally the passwords I reuse are the ones that don't matter much. If someone cracks my /. pw, they might have the access to several unimportant accounts, but not my main email or banking accounts, all of which are unique.

actually cleartext or just visible to you

I'm assuming you checked the message headers and noted that TLS was not implemented and that the message and password were not encrypted during transit.

Passwords

[gurps_npc]

When it comes to passwords, I have found that corporations (and people) do one of two things:

1) Treat them like worthless things - only having them to satisfy those weirdos that want something called 'privacy', whatever that is. What the hell, use the same default 123 for all passwords.

2) Here is your top secret password. It must be 23 digits long, have symbols, letters, cyrillic characters and at least one unicode symbol whose name you don't know. Nothing can EVER be repeated, and it must change every 60 minutes. Also do NOT write it down - even though these conditions mean you absolutely have to write it down in order to remember it.

Honestly, you are talking about your transcript for a University. I can not honestly think of a situation where someone that you don't want to see it would care enough to see it - unless you yourself are planning on committing fraud.

If I was in charge (and I am not), the university should not use a password. They should let ANYONE see your transcript - but also notify you that someone has requested to see it.

Re:Passwords

[omnichad]

I assume the password was for decrypting a password-protected PDF. Just a guess.

Re:Passwords

"Honestly, you are talking about your transcript for a University. I can not honestly think of a situation where someone that you don't want to see it would care enough to see it "

hmmm tell that to President Obama.

Re:Passwords

[gurps_npc]

Sure there are some special cases. But let's be clear about this - a password is not what is protecting Obama's transcripts.

Instead, it's the real legal prosecution that would follow anyone attempting to claim they are him, and/or get it. Because I absolutely guarantee that people could crack whatever password protection they use to protect it.

Re:Passwords

[Psychotria]

Nothing can EVER be repeated

I'm not 100% sure what you mean by this. But if you mean that you cannot use a password that you've used in the past then I have a problem with this... having something jump out and say "you can't reuse this password" actually gives something away: that you've used the password! Maybe you've also used that password on other sites so by saying "you've used this, you can't use it again" is actually, imo, bad for security.

If you mean that you cannot use a character in the password that you've already used then this is also bad for security... it allows an attacker to know that characters cannot be repeated and this, therefore, weakens randomness.

policy

[Orgasmatron]

You don't control the security policy of most things that you need to interact with.

You should be assuming that every single site that is not under your direct and personal control is doing the same thing. Even if they swear that they are not.

Every password that you give to a remote system should be a unique random password given only to that system and saved in your personal password safe.

The one exception is having a common password for things that you don't care about. The trick to taking advantage of the exception is making sure that you really, really don't care about any of the systems in that category, and never will.

Re:policy

Use unique email addresses too. I have several hundred tied to a personal domain name. when the company misbehaves, I terminate the email address.

Happened to me once with a magazine subscription

[umafuckit]

I subscribed to the electronic version of a magazine. Each month I got an e-mail to alert me to the new issue and the e-mail included my plain text password. I contacted them and explained to them why this was a problem. They agreed and got in touch with the company providing the e-magazine service. It took two months, but they stopped the practice. So I think you should just politely inform people.

Maybe not...

[Blrfl]

In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me.

You don't know that for sure. It's entirely possible that the password was generated, sent to you in the clear, stored hashed and the clear version discarded. They can only do that once. If they can do it more than once, it's not being hashed before storage.

The problem with passwords is that at some point, it has to flow in a form it can be read by a human. We're not to the point where everyone on the planet can do everything with key pairs that prevent it.

Re:Maybe not...

Hey, finally someone that understands, while I get down voted for stating the same thing.

Hard Problems

[Don+Faulkner]

"Don't you know my name yet? That's the only answer. Tell me, who are you, alone, yourself and nameless?" — Tom Bombadil in Tolkien's Lord of the Rings

"There are only two hard things in Computer Science: cache invalidation and naming things." — Phil Karlton

This is one of the true hard problems in modern end-user computing, and it comes up all the time. What do you do when you get a phone call like, "hi, this is Don with $MORTGAGE_COMPANY. For security validation, please tell me your address."

How do you provide a way for two people (entities) to get introduced to each other in a reliable way, without a trusted third party to make the introduction? And, beyond that, if you have to create an "account" with me to maintain that relationship, how do we make that happen safely (another questions is why those accounts are so uni-directional; why doesn't the bank need to create an account with you as well?)

Most of the solutions to this problem favor us giving our personal information away for free to big companies, in exchange for some benefit which may never come. There's been talk for ages of having some sort of identity layer for the Internet, but that raises its own privacy and anonymity concerns.

Re:Hard Problems

[coofercat]

My main bank account was set up online. I didn't just pull down "Mr." from the list of titles - I picked one of the others. Now, any time they call me, I ask them "Can you tell me my title, please?". Often it's met with some confusion, but at least it offers a modicum of assurance they really are $BANK. Every once in a while they call from one of their published phone numbers, which adds another layer of assurance, I guess.

They once called me to verify a transaction. For whatever reason, they felt the need to ask me countless security questions - after a few, I just said "Okay, please send me a secure message on the website with your phone number, and we'll continue this conversation there". Again, much confusion, but it all happened.

I'm not saying this is "secure", but forcing someone to send you a message on a website is a whole lot more difficult than having them just war-dial you and try their luck. I reckon I weeded out 99% of the 'bad guys' that time. GCHQ/MI5/MI6/NSA/CIA etc probably would have defeated me, but maybe not in the time it took them to do it.

Re: Hard Problems

[Don+Faulkner]

You found good ad hoc methods for mutual authentication. That's good. I'd like to see more formal methods around this concept. We need tools that mortals can understand, and that work in a variety of contexts. This wasn't a problem in the old days, because we just walked into the shop. When you remove the physical element, scamming gets easier on both sides. The problem is impersonation, and we've been avoiding solving it on the Internet.

Pearson is guilty of this

[bangular]

I forgot my password on a Pearson website, so I did the whole "forgot password" thing. Low and behold I receive an email with the original password I chose.

Re:Pearson is guilty of this

[TheCarp]

One of the last companies I worked for was undergoing a single signon project. In their presentation they made it quite clear that they were actually encrypting passwords with a two way function. After the main presentation I pulled the presenter aside and asked why when hash functions are the industry standard.

His response was kind of hillarious (and kind of sad).... too many IT managers were afraid of the repercussions of not being able to actually recover an executives password if he actually lost it and had used it for something important that couldn't just be reset.

Re:Pearson is guilty of this

His response was kind of hillarious (and kind of sad).... too many IT managers were afraid of the repercussions of not being able to actually recover an executives password if he actually lost it and had used it for something important that couldn't just be reset.

I bet he'd feel so much better if their password store was compromised. Nope, wouldn't get any uncomfortable questions from executives then.

Re:Pearson is guilty of this

I regularly get emails from journals with requests to review manuscripts. Very often, these emails include a reminder of how to log in to their review site, along with the account name and password. This is clearly not a security system, and it only takes a couple of these before you start using "password" for your password. Manuscript review is a nominally confidential process and one that should have relatively strong certainty of who the corresponding party is, but they are gross offenders of 'this link will automatically log in to your account' and 'this is your password' type emails..

I always assume that a random website stores my password in plain text. I imagine that 3% of web sites run a script that tries my selected username and password on banking and ecommerce sites. Almost no one cares about protecting your identity

Re:Pearson is guilty of this

It's 'lo and behold'.

Happens all the time at college Admissions offices

I get a dozen a week like this. User name and document url in one email, password in another email. Link (once accessed) is good for 48 hours, usually. Or a variation on that where the PDF itself is secured. Then you have to download the PDF wrapper and use supplied name and password. Then the fun of getting the PDF into the document management system begins. Can't import secured PDFs, so it gets printed and scanned in or it has to be converted to TIFF or printed to XPS then reprinted to PDF to import. Can't do it in one step with PDF, unfortunately.

Of course, those are more secure than the helpful school counselors that just send us documents in email with no security. Or students who send us financial documents in email. Or admissions counselors insisting upon using such tools as free MediaFire accounts to transmit sensitive documents (because it wouldn't fit in email!). We have policies in place, but nobody listens.

Base64 + rot13

12 rounds of each, enjoy your uncrackable passwords!

At My Company

Posting this anonymously because... well... our system is a cobbled together mess that started in the mid-90s. Passwords are stored in the clear in the database, so aren't case sensitive (logging in is a stored proc), and the password field is a VARCHAR(8). Yes. Eight. Passwords aren't a minimum of 8 in our system, they're a maximum. Due to complaints, we allow passwords longer than 8 on the front end, though... we just truncate them down to eight on the backend. So "scret123" is the same as "SCret12345".

Re:At My Company

[LDAPMAN]

Get your passwords out of the DB and into and decent LDAP directory. It's really not that complicated and it will scale a lot better. As you can tell from my user ID...it's what I do.

Re:TLS?

Well, sorta. Maybe from your ISP to you if your email client supports it.
But the ISPs have to be MicroSoft compatible, which only uses clear-text email.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Get the job?

Probably not. Nothing that hiring managers like less that people telling them that they are idiots!

Re:Get the job?

Especially when it doesn't matter. Who is going to take the time to crack your application for a part-time job...why!?

Obfuscation by Social Engineering

[Lab+Rat+Jason]

I use "[password redacted]" for my password for this very reason!

Re:Obfuscation by Social Engineering

[neminem]

The best password: ********

Re:Obfuscation by Social Engineering

That just shows up as asterisks here...

Re:Obfuscation by Social Engineering

[jittles]

That just shows up as asterisks here...

Yep. I can type in my password all I want and you can't see anything but asterisks. So I can hunter2 all I hunter2 want and you can't hunter2 it

Re:Obfuscation by Social Engineering

you can go hunter2 my hunter2-ing hunter2

haha, does that look funny to you?

CentOS Mailing List!

Every month, on the 1st, I get an email reminder that I'm on the CentOS mailing list with the subject "centos.org mailing list memberships reminder." And in that email is my password, plain text. And every month I shake my head as I'm reminded of how bad of a practice this is -- not only do they not use hashes but they also choose to email the password out regularly. Really CentOS!? I realize this is probably some old mailing list software and it's not protecting any sensitive data, but still, it reflects poorly on the organization that chooses to use it.

Re:CentOS Mailing List!

[Asgard]

That is Mailman, and is fixed in Mailman 3.

Re:Happened to me once with a magazine subscriptio

[i.r.id10t]

They didn't salt and then hash their copy of the passwords - they are still stored plain text. They just stopped including it in your email.

Make them aware and make them feel it.

"You have sent me the password of my account in clear text. This is a security issue as passwords sent out in plain text can easily be intercepted and abused by a third party.

As your company has demonstrated a total lack of security awareness, I cannot trust you to safely handle my credit card information. As such, I will take my business elsewhere and will not be purchasing my PC at your company."

Re:Security questions

My policy on security questions is to use algorithmically generated answers based on the text of the question itself (which can be relied on to be invariant); thus there's no risk of an imposter guessing them, nor do I need to store the answers anywhere. There are enough different ways to hash the questions, and the practice is sufficiently uncommon, that it's a very low-risk strategy.

happened just today!

Got back home from doctor's appointment this afternoon, and when I checked my email, I noticed I got a message from a healthcare portal associated with my doctor's medical group. In the message the portal not only assigned my username, but it also listed a temporary password that's good for 30 days! All of this transmitted cleartext. Since I have no interest in using this portal, I contacted via email the company managing it and told them to delete my account because I didn't trust them to secure my medical information. I've yet to hear back from them.

How else are you going to do it?

[Nkwe]

If you assume that the only communication channel the company has with you is email (which is generally a pretty good assumption as multiple channels or channels that include humans are expensive), there isn't really any other choice but to send the credentials (password) in plain text.

This is not a new problem. For the entire history of secure information transmission (cryptography), one of the hardest issues to solve is the issue of initial secret (key) exchange. This problem has been around a lot longer than computers have.

To actually be secure over email you would need the end user to provide a public key when they request the password and then have the company encrypt that password with the public key. The user would then decrypt the password with their private key. This can all be done with S/MIME, but would be a pretty tall order to expect that a random user would be able to figure out how to obtain and use a personal email certificate.

You could split the password into multiple parts and send each part in a separate email or separate the account and password into different emails. These are decent options but don't really provide true security against a targeted attack (someone sniffing the network or directly accessing the email server). These do provide a reminder to the end user that security is important. I would suspect that targeted attacks are not that common.

You could try and obscure the password by making it really long garbage string or embedding it in a URL, but it still ends up being a password in plain text. These don't add any security and may instill a false sense of security.

If a second channel is not cost or support prohibitive, then a one time use text message (SMS) or automated phone message is a pretty good option.

Re:How else are you going to do it?

[dave420]

So you have the user define the password, and just send them a one-time activation link. If the user needs to reset the password, send them an email with a one-time reset link. That's a lot better than sending out a password over plain text. Sure, sensitive information is in the emails, but it expires quickly. The password will be the password for a relatively long time.

Re:Ummmm...

[Bert64]

If the password can be retrieved in an automated fashion then even if its encrypted, everything necessary (i.e. the key) is present, so if the host is compromised the passwords effectively are plaintext as the attacker can simply run the same process to decrypt the password.

And even if you use SSL to check your mail, that doesn't change how the email has been transmitted from one mail server to another, which is often done without using SSL, and most mail servers will fall back to plain text even if they do support SSL because so many out there don't support SSL at all.

It is "a random hash"

[tepples]

and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address

But how would you encrypt "a random hash" on its way to the e-mail recipient?

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway?

Because this one-time random password serves precisely the same purpose as "a random hash" that you mention.

Re:It is "a random hash"

[Junta]

The idea is that the user set his password via (presumably) secure https. The purpose of the random hash is so that you provide the legitimate email user a transient secret that must be used *in conjunction* with the password they had chosen (or some session cookie sent via https to avoid making them log in twice when clicking on the email).

So here the password is to authenticate that the original person that accesses the site, the hash authenticates a valid email account. Both together are required to verify the account is valid. This way someone intercepting SMTP doesn't get access to hijack account and someone without a valid email can't get an account activated.

Re:It is "a random hash"

[tepples]

This way someone intercepting SMTP doesn't get access to hijack account

Then how would a reset work? Or do all subscribers to your service additionally need to subscribe to mobile phone service on a supported carrier?

Re:It is "a random hash"

[Junta]

It would be bad form to reset the password when anyone clicked 'reset this accounts password' anyway. So until the link is followed, no action should be taken with regard to the account password anyway. This way a malicious person can't just denial of service a valid account by clicking 'reset my password'.

This means if an attacker is able to intercept your SMTP, they could still hijack your account through requesting a password reset at will, so it's not perfect, and yes some 2 factor authentication would be nice *if* it were an important site. Account creation needn't have this particular hole, just password reset.

If you didn't want to SMS, you could use TOTP (e.g. google authenticator is one implementation, but not the only one). Though either way that's something to potentially lose so it would be a suggestion option for those increasing security.

Not 100% of Internet users have unlimited SMS

[tepples]

If you want a bit more security than this you could do something like text the user the token instead of baking it into the URL.

But how do you send a text to the number "I don't have a cell phone" or to a land line? I tried to send the code to a land line on a couple sites and got "Unsupported carrier".

The case in the example ....

[aix+tom]

... would be "kinda OK" in my book. (if the description is correct)

After all, it was NOT a password "linked to an account", but only a password to "access a document".

If you have documents that you have to give to a few thousand people, then a possible approach would be to just put them on a web server, protected by HTTP authentication. Then when a user wants the document, create a username/passwort, mail that to the user, and then perhaps a month later delete the username/password pair.

Probably works fine for documents that are not "really that secret" but you still don't feel comfortable putting on the open web for any search engine to find.

I get it in snail mail too

I'm an attorney. Every year, the state bar sends out (via postal mail) a license renewal reminder to all of their registered attorneys. The reminder gives the URL to visit for online renewal, and then lists the attorney's username and password.

So, every year the state bar mails out the credentials for all of their users.

Nobody cares about the password your transcript...

[toadlife]

...or your job application.

Because of the low value of the data that the password grants access to, lax handling of the password is acceptable.

Now if the password granted you access to everyone's college transcript or job application, then how it was handled would certainly be important.

Different types of data have differing security requirements.

Re:Security questions

[ArcadeMan]

And your method won't work if somebody "fixes" the question because of a typo/change of phrasing/to make it clearer/whatever reason.

Re: TLS?

Exchange has supported TLS for SMTP connections since at least Exchange 2003. There's no reason to not use it anymore.

I created a simple PHP script to solve that

[agi]

I'm a sysadmin. I send lots of passwords to users (on account creation, that is). Got tired of sending them in clear text (since they don't do GPG/PGP), or spelling them on the phone. So I created a simple php application that, under SSL, will encrypt your message on disk and offer it ONLY to the first visit (the message is destroyed on first read). I've been using it since, best bunch of hours spend on code. There: https://onetimepaste.org/

Re:I created a simple PHP script to solve that

[Gavagai80]

The reason people like getting an email with their password when they register is that they can search and find that email again later. Why would they want to see their password one time right after registering? Why not just not show it and not email it if you're not going to provide the convenience of a saved record?

Facebook defeats security theater questions

[tepples]

The questions we ask are not something that would normally be found in a users inbox

A lot of time, the answers to security theater questions are things that would be in a user's Facebook timeline, such as the name of the middle school that the user attended.

Re:Facebook defeats security theater questions

Which is why I use 16 character randomly generated strings as the answer and include that in my password storage system (passpack with two-factor) along with everything else.

Security theater questions

[tepples]

Send an e-mail with a verification URL

How do you encrypt this unique verification URL on its way to the subscriber to your service?

security questions

I'm sorry; I misread this as "security theater questions". See "The Curse of the Secret Question" by Bruce Schneier and "Wish-It-Was Two Factor" by Alex Papadimoulis.

Re:Security theater questions

[cbhacking]

There's generally no way to send the user a secure (i.e. encrypted) message. All you can do is make the token short-lived and hope that nobody is intercepting server-to-server email traffic (and that the user's email account is secure, both from malicious clients and from server-to-client interception). It sucks, but until email encryption of one sort or another becomes more ubiquitous, it's the only workable option.

All the time for resetting a password.

[LWATCDR]

Really? Of course they will send you a reset password in email. The other option is that or a link.
Ideally it is only good for a single use and you then enter a new password.
How else would you do password recovery?

Re:All the time for resetting a password.

At least you can expire a link and use HTTPS/SSL to prevent man in the middle attacks.

It's to confirm control of your e-mail address

[tepples]

In the message the portal not only assigned my username, but it also listed a temporary password that's good for 30 days! All of this transmitted cleartext.

This use of a one-time, soon-expiring autogenerated password is common in flows that include the step "To reset your password, confirm your e-mail address" or "To opt in to e-mail notifications, confirm your e-mail address". Is there an alternative, other than to either A. mail all customers a second factor of authentication used to reset a password, or B. require all customers to subscribe to mobile phone service with unlimited texting to receive resets through SMS?

Re:It's to confirm control of your e-mail address

I wouldn't describe an autogenerated (7 digit numerical string, I forgot to add) password that is good for 30 days as "soon-expiring". Plus, this wasn't an account reset situation. I didn't even create the account or even know about the portal until I got the email. The doctor's group just set it up automatically because that's how they schedule appointments and post test results apparently. My problem is that 1) I was signed up with the portal without my knowledge or acquiescence; 2) My assigned user name and password were sent in cleartext,; and 3) the temporary password is good for 30 days. Plus, I'm not all that thrilled that my medical information is made available on the web by a company I never even heard of before today.

Re:Ummmm...

I wasn't talking about password retrieval, neither was OP. If a forgot password or retrieval process is sending original passwords, then yes security is lacking and most likely stored in plain text without encryption or weak key encryption. He is complaining about a plain text password emailed during a registration process, which is extremely common and does not mean the password is actually stored in plain text. This is OP's misconception and lack of understanding. They could just be sending it before hashing and storing. If he's not even choosing a password and it's auto-generated, what does he expect to receive? Apparently OP wants his passwords from form data to be magically hashed before even being transmitted and magically work with whatever system they are stored in. It has to exist in plain text initially and that is what OP fails to realize.

Failure to understand

[Legionary13]

I recently got a payslip emailed to me. This was full of information I didn’t want to see published and, as far as I could see (IANAL) was in breach of our Data Protection Act (in UK). I emailed the company to say that I thought this was not a good idea: it was potentially a risk to staff and gave the company legal exposure. My contact responded by saying he could stop them sending mine by email in future. I thanked him and asked him to notify information governance: if there isn’t one, then HR: no response. It worries me that the simplest data protection policies are so hard for some people to understand.

Re:Happens all the time at college Admissions offi

[Bert64]

Or you can use pdftk to remove the arbitrary pdf restrictions and get a plain normal pdf file out of it...

/. used to send cleartext user name and password!

Here's my user name and password emailed to me in the clear by Slashdot, though it was 1999:

From slashdot@slashdot.org Fri MMM DD HH:MM:SS 1999
To: --------@-----------
Subject: Slashdot user password for ---------

The user account '---------' on http://slashdot.org has this email
associated with it. A web user from 123.45.678.9 has
just requested that password be sent. It is '----------------'.
You can change it after you login at http://slashdot.org/users.pl

If you didn't ask for this, don't get your panties all in a knot.
You are seeing this message, not "them". So if you can't be
trusted with your own password, we might have an issue, otherwise,
you can just disregard this message.

--Rob "CmdrTaco" Malda
    malda@slashdot.org

Don't encrypt!

[cbhacking]

Don't ever store passwords (reversibly) encrypted. Don't even (just) hash them; hash functions are way too fast (and yes, fast is bad here). There should be no way for anybody to get the password out of the info stored in the database, even if they know all your keys.

Use a slow key derivation function instead. PBKDF2 is popular, because it's easy to understand and widely supported; it's basically just taking a value (the password), salting it (you are using a strong, cryptographically random, per-user salt... right?) hashing it, salting the resulting digest again, hashing the salted digest, and repeating the last two steps over and over (tens of thousands of iterations are common). At the end of that, you compare the resulting digest to the value stored in the database; if they match, the user is authenticated. Obviously, don't try implementing this yourself; even simple crypto should always be written by an expert, and you should use the resulting library. There are lots of places to find it, though.

Alternatively, you can use the purpose-built algorithms like scrypt or bcrypt. These are more complex (and less widely implemented) than PBKDF2, but they also offer more advantages against brute forcing, such as requiring a lot of RAM during the computation so you can't build a massively parallel hash-cracking machine (a commodity GPU can do billions of hashes per second in parallel; these algorithms make those parallel attacks harder).

Re:Don't encrypt!

[LDAPMAN]

There are actually valid reasons for using two-way encryption in some scenarios. It's not ideal but it can be quite secure if managed properly. For example, most privileged user management systems and password escrow systems need to use reversible encryption. There are also reasons to do so in certain credential synchronization/SSO scenarios. Yes, just dumping encrypted passwords in a database is a bad idea. However, done right you can have two-way encryption and maintain security.

Type 4 UUIDs

[tepples]

The combination of time (the UUID can be time boxed), activity (a successful login nullifies the UUID), and possession (control of the account's registered email address)

My concern is how to keep someone between your server and the subscriber's MUA from compromising "possession", or how to establish "possession" the first time.

Assuming the coders didn't decide to come up with their own GUID generation algorithm that is easily reverse engineered and seeded

I just use a PRNG. If I need it as a GUID, I request 120 random bits and format them as a type 4 UUID. Is that good enough?

Re:Type 4 UUIDs

[RingDev]

My concern is how to keep someone between your server and the subscriber's MUA from compromising "possession", or how to establish "possession" the first time.

If you follow the same model with account creation, then you already have possession established. If someone compromises your email account, and knows your user account for this site, and knows your security answers, then yeah, you're borked. But if someone has all of that information already, I'm pretty sure you've been borked for a while and in significantly worse ways than someone having your college transcripts. ;)

I just use a PRNG. If I need it as a GUID, I request 120 random bits and format them as a type 4 UUID. Is that good enough?

"Good enough" is a question that is best answered by the asker. Security isn't a Boolean implementation. You aren't secure or insecure, you are at some level of security across a very wide range. Storing passwords in clear text is vastly more secure than having no authentication on a system at all, but it is vastly less secure than storing a hashed password. And that is vastly less secure than storing a 1-way hashed password. And even that is meaningless if you don't have a secured communication layer, or if you aren't correctly exchanging public/private keys. etc...

Are you trying to keep script kiddies from spamming your content management site with pictures of dicks, or are you trying to keep banking details, SSNs, and credit histories locked up with controlled access via the internet?

With that said, you're likely more on the 'secure' side using a v4 UUID, assuming the rest of your implementation follows the appropriate patterns.

-Rick

Re:/. used to send cleartext user name and passwor

I used to keep my /. password in my IMAP folder. For years I would just search for the old mail instead of memorizing it or writing it somewhere safe.

in case you're wondering...

[slashmydots]

"Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position)"
That would likely be Tek Systems Inc he's referring to. You know, one of the largest IT staffing company in the US. They did precisely that to me as well. I changed my password immediately to one I don't use elsewhere.

All the time. But importance is the question.

There are legions of sites out there that will shoot you an auto-generated password over plain e-mail: hell, even Google (as in, Google Apps) will do it.

The question is user responsibility and importance. If you're signing up for something, you should pretty much be there to complete the process, log in, and change your credentials.

99% of places where it happens, literally nobody gives a shit. Sorry, but access to some random putz's social media account is not a serious security problem, and it's probably not worth the massive support headache that an actual secure method of credential issuage/distribution would cause.

College transcripts? Admittedly, I haven't been in college in forever. Unless there's something like an SSN floating about on the document, well, seriously? Nobody cares. Same with job applications.

Yes, in a perfect world, all of our data, no matter how trivial, would be locked away behind quantum multi-phasic encryptowoo. It isn't a perfect world, and it's rather understandable why nobody's willing to wait three weeks for an RSA-type token device just so they can tell the Internet what they had for dinner.

doesn't mean it is stored in clear

fairly normal practice is to generate a random password, email it to the user and hash it and store the hash. The user can then log in and change their password to something of their own choosing, but the start point is just sent through a different channel. The big problem is if the service can tell you what your password is, or repeat the email, or resend you your password - that means it is stored in the clear. If they can reset your password and send you a new random password then that is OK (ish, not perfect, but we don't live in a perfect world)

Re:Ummmm...

[cbhacking]

There's better options than PBKDF2, like scrypt. Also, both require you to chose some parameters; PBKDF2 with a salt of String.Empty, hash algorithm of MD5, and iteration count of 1 is... just an MD5-hashed password. Obviously, those are terrible and stupid parameters, but if people were *good* at choosing secure options then this whole thread wouldn't exist. At least scrypt *only* has the work factor, and it's pretty straightforward.

I Like This

I Like this. It beats the heck out out of email and it is far more convenient than a phone call.

Good job!

Sure

Is an email with a plaintext password that much more dangerous than an email with a reset password link?

Granted users are stupid and will use the same passwords everywhere... but for me I really don't care - I use randomly generated passwords for nearly everything and two factor authentication for passwords I need to personally type in.

A URL is not a link?

[nickweller]

"What I found was that the transcript company had sent an e-mail with a URL (not a link)"

I thought a URL was a link, what other kind of link are you referring to?

Re:A URL is not a link?

[dbIII]

Possibly means a plain text email with a string the user has to copy and paste instead of some html so the user just has to click on it.
People have got powerfully angry at such an inconvenience on this site when I've put a URL in a post and it's shown as text instead of a handy little link.

Re:A URL is not a link?

I'm guessing the URL was in the body of the email but it wasn't HTML-formatted with tags.

Give Obama's answers to security questions

[raymorris]

You're right that it's normally easy enough to find the answers to questions like "what high school did you go to?" I make that much more secure by secretly replacing "you" with "Barak Obama".* I don't enter MY high school, I enter Obama's. I enter Obama's mother's maiden name. So anyone who goes on my Facebook** to get answers will get wrong answers.

* I actually use another famous person, not Obama.
** You won't find much on my Facebook page, because I don't use Facebook. But if I did, it wouldn't show the answers I use.

Re:Happened to me once with a magazine subscriptio

[agm]

The KDE mailing lists do this.

Re:TLS?

It's still bad, regardless of how it is transmitted. If they have access to your plaintext password (which they would, if they mail it to you), that means if their database is compromised, so is your password. And since many people use the same password on all of their online accounts, the attacker can go searching for other places they can use your password, such as gmail or your bank.

Just get out of the password business

Why does every site think it is worthy of its own username/password?

Just use oauth2, give them a nascar login, and let them auth against whatever provider they want.

You store an id that is completely useless for anything else even if it were compromised.

docusign.net

[cecst]

Here's an example: while applying for a job, I was required to use docusign.net. This site carefully offered the option to use paper for all communications, while explaining that doing so would increase processing time considerably. I elected to fill out the application, which contained plenty of highly confidential personal information, electronically. However, when I signed it, docusign.net then EMAILED ME COPIES OF THE DOCUMENTS IN PLAIN TEXT.
Nowhere on the site was there a warning that this would occur, an option for using encryption for email communications, or an option to download completed documents rather than having them emailed.
From this I inferred that the customers of docusign.net are their client entities, and the people who fill out the documents are [fill in your favorite term].
My response? I questioned the integrity of the organization to which I was applying, and vowed never to do anything through docusign.net again.

Re:"Eating your words" != GOOD nutrition

[Sardaukar86]

Stop stalking APK, join the discussion or go away please.

U-verse is guilty

[Snotnose]

Signed up for UVerse, got it installed a couple weeks ago. 2 surprises. First, I got a "welcome to ATT UVerse" email that contained my account password in cleartext. Not cool UVerse.

Then I logged into my router at 192.168.1.254. There on the welcome page was my wifi password for all the world to see.

It's turning out the UVerse DVR is a steaming pile, at this point I can't really recommend it.

The Australian Credit Reference Agency does this..

Veda - the Australian credit reference company - sends people their full credit history file as a PDF whose password is their date of birth.

You'd think that because they have the official government approved monopoly on credit scoring in Australia they'd have their act together a bit more than that, but nope...

worse

I signed up to get my medical records from my doctor only to find out that they sent a URL that pointed to an image of my password! Anyone could, and I did start creating/incrementing the URL number contained in the address and get other passwords. I donber

My kids' school webapp

called ParentVue /StudentVue emailed me my password in cleartext after I clicked the "forgot password" link once. I sent the sysadmin (no actual help or other contact available) an email, and he explained that they store the passwords using a reversible hash. Puh-LEEEZE.

XM Radio

XM is the worst.

You can call them, simply give a phone number and they will tell you the password over the phone.

Pornography

Virtually all pay porn sites send you your login credentials in clear text when you signup.

I do it intentionally

[holophrastic]

I run a company, a tech company, and I actually insist that most passwords be easily sent to clients in plain text.

I'm not talking about credit card information, obviously, nor control of any nuclear facilities. We're usually talking about invoices, business-administrative panels, business reports, and even financial reports. And, believe it or not, even e-mail passwords.

It's certainly not more secure. Especially those last two.

But I drive very fast on highways with other cars driving very fast, and the only thing separating us from 50-car pile-ups and massive death is a yellow line of paint.

In all of these cases, no one dies, and no one directly loses large sums of money.

But it's more than just convenience alone. It's business. Business often comes down to service. And when a client forgets their password, nothing beats just telling them. Yes, telephone's a little bit better, but not always the better business solution.

In the end, you know something, it's up to the person paying the bills. If my client doesn't care about the security risk, then I'm not the one to force them onto the long road.

The front door to my house has a lock that is easily picked -- which doesn't matter because right next to the door. . . is a window. I don't want bars on my windows either.

Sadly I've seen this for some forums....

First two that come to mind are XDA-Developers and the Cyanogenmod Forum. Both websites do not support HTTPS logins or even HTTPS at all as far as I understand.

Password on a PDF

I had one "are you stupid?" experience, where a financial company sent my monthly statements as PDFs.
That is fine, but they added a password to the PDF. MY password to their website.

So now the attacker just needs ANY of the monthly PDFs, my account number (which was also in the email and in the PDF), and pdfcrack.

Once the PDF password was cracked, the attacker would have everything they needed to log onto my financial account.

I complained, and many months later I think they changed it. But it took a while for them to comprehend.

Re:Ummmm...

[corychristison]

I was not aware of scrypt. Thank you for pointing it out. It appears to be pretty new. PBKDF2 has been a published standard since the year 2000.

circumlocutions and in-jokes

[david_bonn]

I've found that you can go a long way with in-jokes and circumlocutions that only an employee at the given location could know.

An example might be the name of a local watering hole. Especially if there is an in-joke name at the company. That way you send one of your guys an email that says, "Your new password is the official name of the West Conference Room -- change it sooner than immediately" or "Your new password is the name of the hot waitress at Poltergeist Chinese -- change it sooner than immediately". This works all the better if "Poltergeist Chinese" isn't the official name of the restaurant in question (god I hope it isn't).

Usually you end up having a lot of gadgets in the office that are beyond the ken of IT, either out of laziness, willful blindness, or just not telling them. In most shops those gadgets all usually end up having the same password for sanity purposes, and if they are behind a decent firewall and not directly connected to the Big Wires that really isn't a problem. Usually there will be a common and well-known password (hopefully not something like "password" or "secret" or "please", although I have seen all three). If you have this kind of situation, you can send an email of the form, "your new password is the usual and accustomed password, change it right away."

I had worse than that

[dbIII]

What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document

The HR manager at a place I used to work at would send both in the same email.
However I still couldn't read the stuff he sent out since the key and document had to be used with a specific version of MS Office that was new at the time.

What to do about it:

[bscott]

I'll tell you what *I* do about it - I promptly complain to someone who proceeds to ignore me entirely, that's what I do about it.

hunter2

[LocutusOfBorg1]

If you choose "hunter2" as password, it is automagically crypted and shown as "*******" so you can consider yourself pretty safe. [citation needed]

Re:Nobody cares about the password your transcript

[BitZtream]

The amount of effort it takes to do proper password handling versus the amount of effort it takes to just store one long enough to authenticate a user is so little different that treating them differently just shows a lack of knowledge about security in general.

Sending a clear text password for 'recovery' tells me that you didn't even bother to hash it ... that is NEVER AN ACCEPTABLE PRACTICE. If you think it is, or if someone treats it like it is, it shows you that they aren't capable of treating the different bits of data at different security levels since the extra 3 lines of code to hash the password for safer storage was apparently too much for them.

If you(they, whoever) care so little about the password that its not hashed, then its not worth having a password for in the first place. On modern processors, even doing hashing in ASSEMBLY is not a ridiculous task, every other higher level language has a library that does it in one function call in most cases.

There is no excuse that justifies storing a password in clear text. Ever.

You mean like slashdot?

[steaminghacker]

Slashdot account creation sends pw in plain text. Although it does tell you to change it immediately. On a related transgression, lastminute.com sends your name and date of birth in plain text when you book a flight. I didn't like this one.

use http, not https ...

[Skapare]

... to read my latest password in clear text: j6apZVsxrXwFZ?P8,BdVb9uz1Q=:Ephq

Um, no it didn't.

"it showed that the company was storing my account information in cleartext"

No, it does not show any such thing, it shows that they emailed it to you in unencrypted form, but says NOTHING about how the company stored your data.

I agree it is bad form to email such things and have said as much for years - worse to send both in one email! But still, it does not speak to how the company stores your data at all.

One time passwords

[xenobyte]

The solution is obviously to use a machine generated one time password, possibly with a limited lifetime, to protect some data - for instance a password. It can be used only one time and the protected data delivered using SSL and is securely deleted afterwards. The real password would be stored inside this data and will only be in cleartext for the lifetime of the data or until it is fetched.

Stop "eating your words" (it's not healthy)

See subject: It's also not polite to talk w/ a full mouth http://it.slashdot.org/comment... seeing as you're STILL "eating you words" in that link I see!

* LMAO...

(You really ought to CHANGE YOUR DIET: "eating your words" != GOOD nutrition Sardaukar86...)

APK

P.S.=> Tell us: How does "eating your words" in a 244++:1 ratio against you taste? Can't be TOO good, spiced w/ the 'bitter taste of SELF-DEFEAT', & rammed down your throat since your FOOT'S IN YOUR MOUTH too, lmao... apk

Yes, it might have been encrypted

If you email provider and the senders email service both support opportunistic TLS, the email is automatically encrypted during transmission. Most email providers support it: https://www.google.com/transparencyreport/saferemail/

What I post's nonsense dave420?

"I just reply to you when I see you spamming Slashdot with your nonsense"- by dave420 (699308) on Friday June 19, 2015 @10:31AM (#49945047)

Why'd you agree w/ my points on hosts then? Quoting you:

"I'm not denying all those things" - by dave420 (699308) on Wednesday September 17, 2014 @11:39AM (#47927435) FROM -> http://yro.slashdot.org/commen...

Of course not: It's impossible to dispute HOSTS FILES superiority to other methods!

Since my points in favor of hosts SINGLE FILE native kernelmode faster part show hosts doing more w/ less vs. so-called 'competitors' many part messagepassing + cpu/ram use overheads laden slower usermode FAR MORE COMPLEX 'solutions' doing less than hosts do for more security, speed, reliability, + anonymity!

I make creating a superior more efficient solution EASIER!

(That's more than a mere trolling stalking harassing "ne'er-do-well" like yourself could *EVER* manage).

---

"I'm simply pointing out that it takes an AdBlocker to block your spamming"- by dave420 (699308) on Friday June 19, 2015 @10:31AM (#49945047)

I bother you? Then WHY DON'T YOU DO IT & use 'em? Answer that!

(You stalk/harass me instead!)

OBVIOUSLY you don't & you're a "ne'er-do-well" troll & you have "other motivations" (next):

---

* QUESTION:

DO YOU WORK FOR AN ADVERTISING FIRM, or ARE YOU A WEBMASTER/WEBCODER http://slashdot.org/comments.p... , or a MALWARE MAKER, or ARE YOU AFFILIATED WITH 1 OF MY COMPETITORS?

Answer it!

As per your usual you'll avoid every question, or lie & You've been EXPOSED in your "motives" in the last link just above, lol!

APK

P.S.=> See Dave420 the "pot puffing clown" SQUIRM - evasions galore will ensue (as well as effete downmods via sockpuppets to *try* vainly "hide it" -> http://slashdot.org/comments.p... )... apk

"Eating your words" != GOOD nutrition

"Your hosts file comments are not trustworthy" - by omnichad (1198475) on Friday August 09, 2013 @11:22AM (#44520759)

See subject: MalwareBytes' hpHosts Admin (MalwareBytes employee who has seen & verified its sourcecode too no less as safe) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus (per this VERY recent testing of them all) -> http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean (per it being checked by 57 antivirus programs recently) in BOTH its 64-bit model -> https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

Tells us, omniweasel:

* HOW'S IT TASTE "EATING YOUR WORDS" flavored with your FOOT IN YOUR MOUTH ramming them down spiced with the BITTER TASTE of SELF-DEFEAT"?

LMAO...

Additionally - have some manners!

It's NOT POLITE to talk with your mouth full as you "eat your words" quoted above after all that proof to the contrary from reputable sources.

APK

P.S.=> Lastly: You also conceded MANY points on hosts to me & made huge mistakes vs. me here http://tech.slashdot.org/comme...

&

Here too http://tech.slashdot.org/comme...

LMAO @ U, "omniloser"... apk

"Eating your words" != GOOD nutrition

"Your hosts file comments are not trustworthy" - by omnichad (1198475) on Friday August 09, 2013 @11:22AM (#44520759)

See subject: MalwareBytes' hpHosts Admin (MalwareBytes employee who has seen & verified its sourcecode too no less as safe) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus (per this VERY recent testing of them all) -> http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean (per it being checked by 57 antivirus programs recently) in BOTH its 64-bit model -> https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

Tells us, omniweasel:

* HOW'S IT TASTE "EATING YOUR WORDS" flavored with your FOOT IN YOUR MOUTH ramming them down spiced with the BITTER TASTE of SELF-DEFEAT"?

LMAO...

Additionally - have some manners!

It's NOT POLITE to talk with your mouth full as you "eat your words" quoted above after all that proof to the contrary from reputable sources.

APK

P.S.=> Lastly: You also conceded MANY points on hosts to me & made huge mistakes vs. me here http://tech.slashdot.org/comme...

&

Here too http://tech.slashdot.org/comme...

LMAO @ U, "omniloser"... apk

Tell us about "AlmostAllAdsBlocked+" Coren22

See subject & LMAO @ U, boy -> http://slashdot.org/comments.p...

FACT: "AlmostALLAdsBlocked+" is INFERIOR vs. hosts - hugely so!

AB+ doesn't even DO what it's supposed to fully anymore being BRIBED http://finance.yahoo.com/news/... not to!

AB+ doesn't do a FRACTION of what hosts do for more speed, security, reliability, + anonymity online!

AB+ EATS 128mb of RAM (vs. hosts @ 11 *maybe* tops via my program with CURRENT data, the important kind vs. current threats + ads) http://cdn.ghacks.net/wp-conte...

AB+ adds messagepassing overheads!

AB+ operates in SLOWER usermode (vs. hosts in PnP kernelmode)

AB+ creates huge CPU consumption!

AB+ is also detectable by clarityray (via native browser methods) nullifying it (not hosts).

---

I use what you already have that works & does more with LESS, no less - you by way of comparison? Pile on "MoAr" that doesn't do as nearly as much & what it's supposed to do, massively inefficiently no less (see above)?

Ab+ NO LONGER DOES!

* AFTER ALL THAT?

AB+ = "better", Coren22?? LMAO - NO f'ing way!

If you say it is, you are *TRULY* stupid & I'd reply saying "argue with the numbers" & facts above, from reputable sources & analysis proving my points for me!

APK

P.S.=> Gonna go "cry in your cereal" now, boy?

(You ought to for being STUPID enough to use OR SUGGEST a blatantly INFERIOR solution! See above - it's fact & truth via reputable sources)... apk

Coren22: Questions 4u... apk

See subject, "Run, Forrest: RUN!!!" - Can ab+ do 16 things hosts do for speed, security, & reliability:

1.) Protect vs. malicious sites/servers (past ads)
2.) Protect vs. fastflux botnets + stops C&C communique
3.) Protect vs. dynamic dns botnets + stops C&C communique
4.) Protect vs. DGA botnets + stops C&C communique
5.) Protect vs. downed DNS (adds reliability)
6.) Protect vs. DNS redirect poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get you past a dnsbl
12.) Keep you off dns request logs
13.) Speed up surfing by adblocks & hardcoded fav. sites
14.) Work on anything webbound (ie email programs) multiplatform.
15.) Give you easily controlled data
16.) Do all that & block ads more efficiently in cpu + memory usage vs. addons

* ANSWER ="NO" to each on ab+ doing it or as well + hosts = already on every device natively.

APK

P.S.=> Ab+ does less than hosts & less efficiently - hosts do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):

Ab+'s 128mb memory inefficiency -> http://cdn.ghacks.net/wp-conte... (hosts consume 3-11mb using my program initially).

+

ClarityRay defeats it dumping addons in use in a browser via native browser methods to do so!

+

Ab+'s paid to not do its job http://finance.yahoo.com/news/...

Ab+ adds complexity + slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).

What's best?

APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

... apk

"Eating your words" != GOOD nutrition

"Your hosts file comments are not trustworthy" - by omnichad (1198475) on Friday August 09, 2013 @11:22AM (#44520759)

See subject: MalwareBytes' hpHosts Admin (MalwareBytes employee who has seen & verified its sourcecode too no less as safe) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus (per this VERY recent testing of them all) -> http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean (per it being checked by 57 antivirus programs recently) in BOTH its 64-bit model -> https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

Tells us, omniweasel:

* HOW'S IT TASTE "EATING YOUR WORDS" flavored with your FOOT IN YOUR MOUTH ramming them down spiced with the BITTER TASTE of SELF-DEFEAT"?

LMAO...

Additionally - have some manners!

It's NOT POLITE to talk with your mouth full as you "eat your words" quoted above after all that proof to the contrary from reputable sources.

APK

P.S.=> Lastly: You also conceded MANY points on hosts to me & made huge mistakes vs. me here http://tech.slashdot.org/comme...

&

Here too http://tech.slashdot.org/comme...

LMAO @ U, "omniloser"... apk

I tried

I signed up for Tigerimports.net back in February, and was surprised to find out they had sent me my password in the account creation confirmation email in plaintext. I notified them immediately and a support member replied stating this wasn't intentional and that Sunshop, their shopping cart company, are not supposed to be emailing passwords, and added that they used to not do this. The support member said they'd create a support ticket to have it changed. Again, this was back in February.

I created a new account there just now and they are still sending passwords in plaintext. Seems like they don't really care. Either that or not much gets done in their company internally. Should I even bother sending another email?

What I would do.

[Mister+Null]

1> If it was a company wanting my business: I'd email their IT department explaining why I will never ever use them. 2> If it was a company who wanted to hire me: Likewise I would email the head of IT explaining why I'd never ever work there. 3> If it was just a company on the internet: I'd email their head of IT explaining what happened and do they need for me to recommend someone who can take care of this situation?

Passwords are everywhere

[bobjr94]

I bet most people (not slashdot readers) but most people don't know any saved password in firefox and chrome can be easily be seen. Let me borrow your laptop for a sec, I need to check something...Ok, got this guys banking and paypal passwords....

Re:Stop "eatin yer words" (it's not healthy!)

[Sardaukar86]

Stop stalking APK or go away.

Quit living in fantasyland

[weweedmaniii]

It's obvious 95% of the posters here have never worked on a real service desk. I spent 3.5 years working as a Security Account Admin and sent every password in cleartext and here's why. End users & their managers are remarkably computer illiterate. If I salted or hashed the passwords as so many have suggested, I would get a reply within 5 minutes saying "my password didn't work." As it was I still had about a 50% success rate with end users actually getting their passwords to work. Another issue I faced was a language barrier. Our work spanned 6 continents and roughly 18 time zones. as a result we provided 24 hour service and to a warehouse worker in Shanghai, my e-mails probably looked like they were written by an alien; which is why their managers were always copied on the e-mails. As a rule to ensure some security, all e-mails were sent encrypted and never sent to a third party address which angered the UPS & FedEx shippers in Asia. I also often copied the regional service desk person, as it was likely they spoke the language of the end user or someone on the service desk spoke it.

Don't talk w/ your mouth full Sardaukar86

See subject: As you "eat your words" http://it.slashdot.org/comment... 244++:1 against you!

* LMAO...

(You really ought to CHANGE YOUR DIET: "eating your words" != GOOD nutrition Sardaukar86...)

APK

P.S.=> Tell us: How does "eating your words" in a 244++:1 ratio against you taste? Can't be TOO good, spiced w/ the 'bitter taste of SELF-DEFEAT', & rammed down your throat since your FOOT'S IN YOUR MOUTH too, lmao... apk

Re:Nobody cares about the password your transcript

[toadlife]

In the summary there was no proof of a password being stored in clear text. It described the password being emailed in clear text.

Sending a clear text password for 'recovery' tells me that you didn't even bother to hash it

No, it doesn't. If the password was generated/reset and emailed at the same time it could easily be sent in clear text and hashed properly in whatever system it is used on.