Skip to content

March 4, 2010

3

Plaintext passwords

Whenever some website emails me MY OWN PASSWORD in plaintext, I feel like pulling my hair out.

1. You should not be storing passwords in plaintext!!! NOT! EVER! There is no excuse for that, no excuse, I don’t care how small and insignificant your website is, that is unacceptable, simply unacceptable!
2. You should never email such significant information over an unsecured channel such as email. Again, NOT EVER.
2b. Because you do the stupidity of emailing me my password, anyone looking over my shoulder can see it too, they don’t even need to know what a sniffer is. WOW, thank you!
3. Why would you ever email me my own password? WHY?! It’s like calling me and telling me my name, then asking me what my name is then telling me my name again to see if I still remember it! No actually, wait, that would not be as moronic because my name is NOT A SECRET ONLY I SHOULD KNOW!

So, kids, that’s why you should NEVER have the same passwords for things that are really important like email and bank accounts and crappy websites that can’t even do hashing and salting.

Read more from Computers, software and engineering
, , ,
3 Comments Post a comment
  1. Valentin
    Mar 5 2010

    Some sites email you your password in plaintext only when registering. They can take the password, mail it to you and then encrypt it and store it.

    Or.. they could just store it plaintext. :P

  2. anothem
    Mar 5 2010

    Dude, you HONESTLY think that a website that emails you your password actually does encryption? :) I will bet that if you use the “forgot password” functionality on these websites they email you back your old password.

  3. Valentin
    Mar 5 2010

    I know there was one big site that mailed me my password when I registered and explicitly said something along the lines “Remember this! we won’t store it, that’s your job”. (can’t remember the site, just the mail)

    But yes, I agree, most of them just store it plaintext. Some e-stores in Romania store them like this. I won’t give names, maybe they changed stuff from the last time I peeked. :-”

    And if I were to ask for some “salt” before hashing the password, I think people will look at me funny. :)

    Anyway, this is why I recommend people to have a different password for each site. :)

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word