29

I was kind of shocked when I just received my confirmation mail from the shop where I just registered myself: they sent my username (which is my email address) and the password I typed in. The password was not partially replaced with *s or similar; it was the naked, blank password I picked.

This does mean people who can check the emails the shop sends could theoretically see my login data, does it not? I believe this is the first time I get a confirmation with my full login information so this seems really weird and somehow concerns me. Should it?

From the fact that I received my password by email, I am guessing that the shop does not encrypt my password. Is this a valid inference?

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Alex
  • 393
  • 1
  • 3
  • 5
  • 8
    I wouldn't imply that they don't encrypt your password, I have seen quite a lot sites who send the password out at the registration, even when I dislike that concept. They will take the input -> validate -> send mail -> encrypt -> save. That way you got a confirmation what you have entered. – D. Schalla Jun 17 '14 at 08:33
  • But I should ask them if they do, shouldnt I? – Alex Jun 17 '14 at 08:34
  • 1
    Uhm, well, you can. You could also take a seperate password which you don't use anywhere else. – D. Schalla Jun 17 '14 at 08:35
  • It is that kind of password anyway, I was just wondering – Alex Jun 17 '14 at 08:35
  • 6
    Related: http://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure – Iain Galloway Jun 17 '14 at 12:26
  • 16
    Don't forget to add the site to plaintextoffenders.com – JSmyth Jun 17 '14 at 18:16
  • @JSmyth I think sites that do this shouldn't be added to plaintextoffenders - only if you can show they're *storing* in plain text. – corsiKa Jun 17 '14 at 21:54
  • 1
    @corsiKa here's a scenario: they stored your password encrypted but sent out the password in clear within the only confirmation email you happened to read via an unsecured and hence insecure channel. The pass could be compromised. Equally an attacker gets access to your old mailbox which was once registered with that site. Chances are you reused the password (probably even at multiple sites). – JSmyth Jun 18 '14 at 07:02
  • they are using magento and thus are not storing it in plain text, as it turns out. anyhow, i really dont like my password being sent via email in plaintext, so weird – Alex Jun 18 '14 at 07:47
  • @JSmyth I know that scenario. But in that scenario you have the option to do something about it. If they store it in plaintext, you don't. Also, your password only gets compromised in a targeted attack you, while a plaintext stored password is compromised en masse. The two are so many worlds apart it's not even funny. – corsiKa Jun 18 '14 at 14:15
  • @corsiKa well, the password is yours in the end as well as this preference. Additionally, this is a part of a good design: the service doesn't need to send the password anywhere beyond its server at any time. It only has to accept one for verification. Only one way. – JSmyth Jun 18 '14 at 14:26

4 Answers4

47

Sending you the password in plain text does not necessarily mean the database stores it in plain text, especially if they sent you the email before encrypting and storing the password. However if you ask for the password later on (e.g "forgot password" mechanism) and they do send it to you like this, it implies that they are either storing in plain text or they're using an easily reversible encryption. In either case, there is reason to be concerned unless they only send you the password on registration and before storing it on their server in encrypted format.

In particular:

  • If they have a "forgot my password" link that sends you the password you had previously set up, then yes, there is reason to be concerned: they are storing the password in plaintext or using reversible encryption.

  • If they send you a new password, then it doesn't necessarily mean they are storing the password in plaintext or using reversible encryption. In that case, you don't have enough information to know whether there is cause for concern.

A separate issue is that, in any case, email is not a safe medium for sending passwords. Thus, even if they aren't storing the password in plaintext, if they are sending it to you by email in plaintext, that does pose some risk.

according to plain text offenders:

Man in the middle attacks are easy to pull off between server and the comminucation protocol in itself is not encrypted.

D.W.
  • 98,860
  • 33
  • 271
  • 588
Abbas Javan Jafari
  • 1,916
  • 14
  • 31
  • There are a lot of shopping sites on the internet nowadays and a lot of them are not officially recognized and certified. Best thing to do is (as you mentioned yourself) not to use your main password and also use secure payment methods like paypal. – Abbas Javan Jafari Jun 17 '14 at 08:48
  • 7
    You're right that this doesn't necessarily mean they aren't encrypting the password on their own servers (as they might be sending the mail before storing it), it's still a security concern as your password is still being stored in plaintext (on an unknown number of unknown servers between the sender and your inbox!) – Iain Galloway Jun 17 '14 at 12:23
  • 2
    I'd prefer if they *did* store the password in plaintext but didn't sent it by email; for the same reason that I'd prefer to write my phone number on a piece of paper instead of *shouting* and spelling every digit more than once inside a mall, when giving it to someone else. – Bakuriu Jun 17 '14 at 15:57
  • That's true but why chose the lesser of two evils when you many encryption techniques? – Abbas Javan Jafari Jun 17 '14 at 16:21
  • 1
    If they are able to send it later as plaintext, this doesn't directly mean it's an easily reversed encryption method. The problem is that they shouldn't be using encryption at all. They should be using hashing algorithms which cannot be reversed at all. Encryption methods can be reversed with some decryption data. Hashing methods cannot be reversed no matter what. Regardless, I do agree that they are hopefully securing it before storing it and only sending it upon registration. – Spencer D Jun 17 '14 at 18:43
  • I remember taking part in a discussion about the benefits (for special cases) of using encryption rather than hashing to store the password. I have to do some digging before I can post the details. Regardless, sending a password in plain text (whether they store it in plain text or not is dangerous because it of the reasons mentioned in the answer and in the comments above. – Abbas Javan Jafari Jun 17 '14 at 18:51
  • @SpencerGrantDoak : check this out: http://www.bbc.co.uk/news/technology-12983734 this is just an example, there are times where you need to recover the actual password and this is almost impossible if you hash it. Although I agree that in most cases, passwords should be hashed – Abbas Javan Jafari Jun 17 '14 at 19:03
  • @AbbasJavanJafari Good point, but the issue I'd like to address is where you state then that 'it implies that they are either storing in plain text or they're using an easily reversible encryption.' While yes, this does pose a security concern because of MiTM, this does not mean it's easily decryptable. It would be impossible to measure the strength of their encryption simply base on their ability to send the password again. However, you are correct that if they can send it again, it heightens security concerns as this exposes the plaintext password in an email multiple times. – Spencer D Jun 17 '14 at 19:47
  • I agree and I'd like to further continue this discussion, maybe in chat? I made a mistake of misusing the word "easily", what I meant is that they can easily decrypt it as opposed to the hash passwords which are nearly impossible to reverse. you are correct it doesn't necessarily mean that but websites that do this usually store it in plain text and not even in encrypted format. check out http://plaintextoffenders.com/ – Abbas Javan Jafari Jun 17 '14 at 19:56
  • Alright. I was merely clarifying that point, but I do see your point about encrypting vs. hashing in some circumstances like as a reference in legal matters. I'll check out that site later as I'm about to be heading out. Thanks for the link and info about legal privacy cases where encryption is better than hashing. – Spencer D Jun 17 '14 at 20:18
  • email are NOT sure, gmail announced that 50/60% of mail from and to external domain use plain connection. see http://www.toptechnews.com/article/index.php?story_id=101007M3D50W – Lesto Jun 18 '14 at 11:53
4

Shops should not send passwords over email. One of the reasons is an answer to one of the questions:

yes, people who can check those emails their shop sends could theoretically [still yes if you leave that word out] see my login data.

Man in the middle attacks could also be successful if the shop uses httpS, but accepts http just as well, see bank advice in Netherlands.

Community
  • 1
Dick99999
  • 525
  • 5
  • 8
4

Well, just because they sent you a plain text password does not mean they don't utilize cryptography when storing your password.

First of all, within cryptography there are hashes and encryption. They should neither encrypt nor store your password in plaintext. They should hash it.

Encryption Function: a two-way function which transforms data in a way which is difficult/near impossible to reverse without knowing the decryption key (I won't bore you about key types).

Hash Function: a one-function which transforms data to a unique signature with which it is seemingly impossible to determine almost anything about the original data (length, text entered, etc.). Hashes are impossible to reverse and can only be discovered by brute-forcing/rainbow table. Brute-forcing is infeasible even with massive amounts of computational power. Rainbow tables can be thwarted if the website uses what we call a "salt" when generating their hash.

So, the website should not even store your password encrypted, but they certainly should not store it in plaintext.

However, what could be happening here is simple. When you register, the script that's called might automatically hash your password, add the hash to the database and, within the same instance, dispatch the email using PHP's mail() function. By using this function, the plaintext password would never actually get stored within an 'Sent Mail' folder because the mail() function doesn't use an established email to send from.

Sending the password in plaintext to the user via e-mail is still very insecure, but this doesn't necessarily mean that they don't store it on their end securely.

Shortened Version:

I know that was long-winded and technical, but the short version is that when you register, they might e-mail it plaintext then, but then store it securely in an irretrievably fashion. It's still a security flaw, but, if they do this, it's not as big of a concern. Just because they send it as an e-mail doesn't necessarily mean it's stored in a 'Sent Mail' folder.

Spencer D
  • 770
  • 1
  • 5
  • 13
  • they actually save it encrypted, it is magento. but sending the plain text password via email just really semed awkward. thanks for your answer! – Alex Jun 18 '14 at 07:48
  • 2
    It *is* as big of a concern. it's a *bigger* concern. Sending the password plaintext in an email is *worse* than storing it plaintext on the server. Depending on how well the rest of the server is set up, that plaintext file can at least be made rather difficult to lay hands on, but the nature of the email protocol precludes a similar level of difficulty in reading your messages. – Matthew Najmon Jun 18 '14 at 11:24
  • @MatthewNajmon Yes, it is worse to send the password plaintext over email than to store it plaintext in a database (arguably), but what's worse than that is to both store it on the server plaintext and send it plaintext. If they do both, that is the worse scenario. That being said, one could argue that sending it via email is better and storing it hashed is better because an attacker would only get passwords obtained via MiTM whereas if the attacker used SQLi, he would would obtain every password even those which were set up before MiTM. Regardless, it's a bad system with possible bad outcomes – Spencer D Jun 19 '14 at 15:58
  • @Alex, I'm certainly glad to hear that at least the storage is secure, but I would be leery about any site that emailed me my password for their site. – Spencer D Jun 19 '14 at 16:04
  • yep, it feels weird – Alex Jun 20 '14 at 08:00
3

Ok - many good answers here on plaintext-passwords, hashs and storage...

But the single most compelling concern is:

E-Mail is usually not a safa way of transmitting data. It is probably about as safe as you shouting a message across the street, where someone will hear it and repeat it in the direction you specified as the target address...

No matter how safe their server is, with E-Mail you have usually no encryption in sending them and in many cases no authentication. So there is a bunch of man in the middle attacks to get the content of that E-Mail, which is most likely stored and parsed on its way by various virus/spam scanners, advertisment analysis and who knows what tools... The content of the E-Mail, including your plaintext password could be flying around on countless machines of a spam-scanning or text-indexing cloud network...

Falco
  • 1,492
  • 10
  • 14