2

Receiving an e-mail with my user id and password just after registering on a website is not rare. However, I believe it is bad practice, as it seems those e-mails cannot really be made secure.

  • Is sending those passwords by e-mail really wrong? I did read a lot about this topic, but can’t find a clear-cut answer.
  • If it is wrong, how do do I tell them? Is there any clear reference on this topic?
Philippe-André Lorin
  • 121
  • 2
  • 1
    Are you forced to change your password once you login for the first time? It's certainly not a best-practice, but I don't believe the policy is particularly heinous on its own if properly implemented - it's more of an indicator that the site may not have the greatest security policies. If you walk into the bank and the teller gives you your cash out of his wallet it's not the end of the world on its own, but it makes you worry about what else the bank is doing poorly. – Cowthulhu Feb 21 '18 at 17:56
  • 1
    https://security.stackexchange.com/questions/61215/the-registration-confirmation-email-contains-my-password-do-they-keep-it-in-pla?rq=1 – schroeder Feb 21 '18 at 19:51

2 Answers2

1

It's certainly not a secure practice. But as to whether insecure sites using this practice are worse than other insecure sites, it depends on your users and threat model.

If 50% of your users' passwords are "111111", "qwerty" and "bugmenot", and 45% are equal to their logins, you could actually improve security that way.

If your password reset policy requires nothing but the user's email, which is very common, then any MITM or anyone with access to your or your user's mail has the door open already. However, they're not the only threat...

The real problem is the implications of such a practice. Hopefully the passwords aren't stored in plaintext, but emails get kept in some databases, and these passwords will leak when one gets mined. I get a lot of targeted spam offers to sell out the user DB of a website I run; don't know how many people accept those, but some clearly do.

Of course, if the only thing of value on your website is the users' email addresses, the damage has to be weighted against the mitigation of damage from password reuse for users who don't care.

For a site that has user data of real value, or especially a financial one, any transmission of the password is highly inappropriate. Even if it has to be changed immediately, that one-time login is better done with a one-time authentication token. So it's unlikely that any site following this practice is designed in a secure way.

Therac
  • 2,610
  • 11
  • 18
0

In short, you could tell such webmasters this:

  • Manually managing passwords is too much work for him.
  • A feature for password reset is cool.
  • Most websites send a time-limited URL for password reset.
  • The password should not be stored, but a hash value like sha256.

And: If he does not know your password, them his legal position is way stronger.

bbaassssiiee
  • 363
  • 1
  • 11