Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Passwords Transmitted As Cleartext?

Posted by timothy on from the secret-password-on-the-wall dept.

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?

6 of 251 comments (clear)

  1. Responses by neminem · · Score: 5, Informative

    "How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail?"

    Not *that* often, but more often than you would think. (See plaintextoffenders.com - they've got hundreds of examples.)

    "What would you do if this type of situation happened to you?"
    What I do when this happens:
    1. Take a screencap of the email, black out the username and password, and send it to plaintextoffenders.com
    2. Contact the site admin, let them know that you just did that, and why it's such a bad idea. Link them to http://plaintextoffenders.com/...
    3. Immediately change your password on the site to something stupid that would definitely not even *remotely* help an attacker guess what sort of passwords you might use on other sites, since if their password security is that awful, chances are their security is awful in other ways too.

    1. Re:Responses by sexconker · · Score: 5, Informative

      My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

      If anyone has a better suggestion, I'm all ears.

      Don't send the fucking password in plaintext.
      Don't store the fucking password. If your database/application can read it, then it's decrypted at some fucking point. Don't fucking do it.

      User creates account.
      User provides password, username, email, etc.
      You generate salt.
      You generate a UUID (emailverificationUUID).
      You create DB entry with username, email, HASH(password + salt), salt, emailverificationUUID, emailverified (0).
      You email the user "Your account has been created, please click this link to verify your email address.".
      Link contains the UUID. When clicked, the site performs normal login processes (prompt login if not logged in already) and then verifies that the UUID matches the UUID stored for the logged-in user, and sets emailverified to 1 for that user if so.

  2. Simple by juanfgs · · Score: 5, Insightful

    What would you do if this type of situation happened to you?

    I'd continue using different passwords for different accounts and not being a whiny bitch about it.

    1. Re:Simple by Anonymous Coward · · Score: 5, Insightful

      Don't mod down the angry bro just because he uses bad words.

      The only safe assumption is to assume that no one handles passwords correctly. So you use a different password for every service. Use a password manager and let it generate random passwords for you.

      The question one then to answer for themselves is if I assume they are not properly handling passwords, how much personal information is one willing to provide. You're on your own for that as everyone values information differently.

  3. I used to see that all the time by HangingChad · · Score: 5, Interesting

    Before NMCI came along, I was tasked with taking over a mapping application for the Navy and discovered the app was sending admin credentials in clear text in the URL string. Instead being of grateful I found the obvious sloppy coding they accused me of trying to pad my billing with make work and blaming the previous programmer. When I explained their application was crap and a giant security hole they would say, "Well, it works for us."

    So I totally understand how apps like that make it online.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  4. FAO of inspector general - copy to Congress by Bruce66423 · · Score: 5, Interesting

    The inspector general of the navy should be informed, with a copy to the chairman of the armed services committee. Then run away. Fast...