Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Passwords Transmitted As Cleartext?

Posted by timothy on from the secret-password-on-the-wall dept.

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?

8 of 251 comments (clear)

  1. Simple by juanfgs · · Score: 5, Insightful

    What would you do if this type of situation happened to you?

    I'd continue using different passwords for different accounts and not being a whiny bitch about it.

    1. Re:Simple by Anonymous Coward · · Score: 5, Insightful

      Don't mod down the angry bro just because he uses bad words.

      The only safe assumption is to assume that no one handles passwords correctly. So you use a different password for every service. Use a password manager and let it generate random passwords for you.

      The question one then to answer for themselves is if I assume they are not properly handling passwords, how much personal information is one willing to provide. You're on your own for that as everyone values information differently.

  2. Security by corychristison · · Score: 3, Insightful

    Your first example is acceptable in my opinion, as that password was probably random and (essentially) single use. After logging in, you should immediately change the password to something you can remember.

    The second example, however, is a big no-no in my books. I develop web based applications for a living. The only time we send a password over e-mail (or SMS) is when a user has locked themselves out of their account, and are using the account recovery tool to regain access. This is how we handle it:
    1. Click on "Forgot Password"
    2. Enter your e-mail address (and username if different from e-mail address), click "Begin Recovery"
    3. Send an e-mail with a verification URL for them to continue the process, this is to confirm they actually are the owner of the email address, and also to weed out people trying to use the recovery process maliciously.
    4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.
    5. Upon answering the questions correctly, you will be e-mailed a single-use password you can log in with.
    6. Upon logging in, you are required to change your password to something you can remember (or store in a password DB, like you should be doing).

    I know it's long and cumbersome, but it works.

  3. Re:Responses by PraiseBob · · Score: 1, Insightful

    For the first example, this will happen anytime a site has to generate a password for you, that is to say, millions of times a day. The site has to get the password to you, and can do so by generally email, sms, telephone call, or an in person visit. The same 3 letter agency is monitoring all of those electronic methods, so it really doesn't matter which you use, but email is the cheapest by far. The local network/pc is always going to be the weakest link, so use https for webmail. Splitting sensitive information into two emails makes it much harder for the bad guys. Enough so that it is standard practice for the banking industry and is part of PCI compliance transmitting credit card numbers.

    For the second example- so what? It's a one-time temporary password that you picked yourself. The risk of a compromise is minimal, the reward for a hacker is minimal. Is it poor security practice... maybe? But you have to weigh the cost-benefit ratio.

  4. Re:Responses by chihowa · · Score: 3, Insightful

    My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

    If anyone has a better suggestion, I'm all ears.

    Seriously? Let the user enter their own password at account creation and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address (if that's even a necessary step... it isn't always).

    Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway? What possible benefit does that serve?

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  5. Re:Happened to me once with a magazine subscriptio by i.r.id10t · · Score: 3, Insightful

    They didn't salt and then hash their copy of the passwords - they are still stored plain text. They just stopped including it in your email.

    --
    Don't blame me, I voted for Kodos
  6. Nobody cares about the password your transcript... by toadlife · · Score: 3, Insightful

    ...or your job application.

    Because of the low value of the data that the password grants access to, lax handling of the password is acceptable.

    Now if the password granted you access to everyone's college transcript or job application, then how it was handled would certainly be important.

    Different types of data have differing security requirements.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  7. All the time for resetting a password. by LWATCDR · · Score: 1, Insightful

    Really? Of course they will send you a reset password in email. The other option is that or a link.
    Ideally it is only good for a single use and you then enter a new password.
    How else would you do password recovery?

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.