2

I recently registered for a website and received an email that said "Thanks for registering, here's the username and password you used to sign up".

The webmaster assures me that plaintext passwords are not stored in the database, but even if the plaintext is only kept long enough to send the email, that's still a bad sign, right?

Are there other risks besides "email is insecure so you shouldn't email passwords"?

Jeff Burka
  • 123
  • 3
  • I've encountered a few VPS providers that send root passwords via plaintext email ;) – mirimir Mar 12 '14 at 04:05
  • http://plaintextoffenders.com/ This website is a collection of places where clean-text passwords were sent out in mails. If is it so, the place that sends the password, has the password in cleartext. Passwords need to be stored in hashes, ex: bcrypt, scrypt. – evachristine Mar 12 '14 at 09:18

2 Answers2

3

When a webmaster sends you a plaintext password, that usually implies that they do not hash passwords, which is a bad sign. But when the webmaster assured you that they do so right after they sent the confirmation mail, I would assume good faith and assume that they say the truth. Those few microseconds more during which the system has access to your plaintext password is unlikely to be a realistic additional security risk. But sending cleartext passwords in email is still a dangerous anti-pattern which should be avoided:

  • Emails are generally transferred and stored unencrypted. That means a password could get compromised by your mail provider or any servers in-between.
  • It is vulnerable to accidental (or intentional) shoulder-surfing. The reason why all password-inputs obscure the characters entered is that you can register an account and log into it while you have another person with you. But when the password appears in clear-text in the confirmation-mail, that person will see it (you have no reason to believe that the mail will contain any sensitive info except the usual "welcome to yadda yadda click here to activate account yadda yadda", so you would have no reason to tell them to look away when you open it).
  • It compromises your account when someone gets a peek at your email. For example when you accessed it from a public computer and didn't log out or leave your desk without locking your desktop while you have company. One could argue that your email account is your master-key to your online identity because it allows you to reset or request (unhashed password! bad!) the password of almost any other account you have, so you should protect it at any cost. But requesting passwords through email would leave traces and tell you how and when your password was obtained. Just scrolling through your mail while you aren't looking would not.
Philipp
  • 49,017
  • 8
  • 127
  • 158
1

Sending a permanent password via email is not acceptable if you care about account security.

However, if the web site isn't important to you (for example, a discussion forum), then it might not matter.

What is the Password Protecting?

Is the password intended to protect you and your information?

Or is intended to benefit the web site, such as allowing the site to track your activity or to protect from "unknown users" from posting? There are so many sites that require you to register but that provide little value to you.

If someone stole my account on this site, I'd be sad but I'd get over it. If they stole my bank account information, that's a different story.

jdigital
  • 328
  • 1
  • 5