Geek Answers Handbook

It makes sense to send password information during email from websites

Most online registration sites send a link to activate the site and during further correspondence with the end user, they provide information about the site, as well as provide credentials for entering with a password in clear text (as indicated below)

Username - myname@gmail.com Password - mysecretpassword

What would you do then? From the point of view of ease of use, it makes sense to send password information in clear text or simply not to send this information. I had the impression that most MD5 passwords are hashed before being stored in the database, and therefore the service provider will not have access to transparent text passwords, is this a security breach?

+6
security passwords usability
source share
3 answers

This is a common mistake: if you receive the password in text form, it means that they are not stored safely - passwords like any other data can be saved using reversible encryption.

Having said that, it is very likely that anyone who sends you a clear-text password has no security concept and probably stores them carelessly (unless passwords are used as weak real-world identifiers, in which case they should not be called passwords so that your customers do not get confused).

If you send text text with a password, you can also assume that if it is associated with something important, then it has been compromised. Too many weak points. You can also do much more inadvertent damage.

  • An email can be intercepted by giving someone else a password.
  • Someone could see how they open e-mail on their screen (they were in houses with couples, and this has happened to us so many times, and every time you have to massage your headache to change all your passwords).
  • Email can be redirected to other addresses that are not secure.
  • You may have encountered a server error, and then you (perhaps your unreliable staff or outsourcing support services?), And the administrator of the e-mail system will probably receive copies of the original letter.
  • Someone who accesses user emails through a cookie hijer or even just an unregistered open email account will now be able to see their password. Even worse, their password is probably used somewhere else (or at least has a common basis, for example, "password1", "password1 $$" "passwordSuperSecure123"), so now you are at risk more than just your own service. Worse, it could be the email account password that was captured, and now they can steal that person’s email account and thus identification for a longer time than the expiration date of the cookie / session. (This all happened to people I know).
+6
source share

Yes, this is definitely a security breach. Only the salty and hashed versions of passwords should be stored.

Usually, the reset password function is used, which sends either a temporary, automatically generated password (which should be useful only for one login), or a one-time reset link. This means that your other accounts are protected from your mailbox.

However, you should avoid any site that will send your actual password in clear text.

+5
source share

There are always trade-offs, and developers have to consider the suitability, the cleverness of the intended users, the privacy and importance of the data, the frequency of use of the website, etc. Of course, users don’t want their privacy to be violated, but on the other hand, “regular” web users can be disabled if you need to remember a password or even think of them first (some websites make it easy to register a user by generating random password and email). Website developers are responsible for taking user interests into account when developing security.

My advice is that passwords should only be sent by email if they are generated randomly. This avoids the following inconvenient scenario: a user logs in with a password that they already use for various other web services, and then receives an email with registration confirmation containing the password just entered. Many users may not have enough security awareness to use unique passwords for each website, but they are safe enough to understand that sensitive passwords should not be emailed.

+1
source share

More articles:


All Articles