Wednesday, October 18, 2006

Just Say NO!

One would think that in today's day and age, I wouldn't have to say this... Note to Security weenies (you know who you are):

DO NOT SEND PASSWORDS via EMAIL.

After changing my password at a site that shall remain nameless, I received a confirmation of password change with the new password sent to me via email. Just in case I was too stupid to remember the password that I just typed in twice in the change password screen ---- duh...

This fits into one of my pet peeves: we've all seen those login prompts that give us an option for "forgotten passwords":

Note the little "We'll email your password to you"... So, if I've "forgotten" my password, they will nicely email it my address of record. How nice...

This is BAD for many reasons including:

  • Someone who has access to my email (perhaps because I left my computer unlocked) gets to see my password when the email shows up moments later and I have no way of knowing that happened (as long as they delete the email). Then they can login as me whenever they want and I won't be the wiser.
  • If I were the typical user and used the same password in many places (which I'm not) this would be even more dangerous because the password obtained by the user would be usable in many locations. The user can protect themselves by limiting the number of places they use the same password, especially if the site has an email-the-password-to-me option.
  • Mail is sent in plain-text, so anyone along the mail delivery path can read the email (who's To: usually happens to be the login and includes the password (and usually has nice text about "Here's the password you requested")). This makes it easy to pick off as the email makes its way to the user

So, what should you do instead? The answer is pretty simple.... Give the user a way of resetting their password without showing them what the old password was. This can still be controlled by access to my email account (so email the reset link to me) and yes, this means that someone who gets control of my laptop/email could potentially change my password, but I would know that when I went to that site and they couldn't use that password on any other system.

When writing this note, I looked at several of my common sites (eBay, Amazon, Wachovia, etc. -- many of which I think used to have the email-the-password solution) and they all had substantially better solutions, including some level of account verification process and allowing the password reset rather than showing the password.

The username/password system is weak enough without having substantial holes in it like this. If your site does things this way, please fix it!!!

Tags : / / / / /

2 comments:

Anonymous said...

I'll bet they sent you your UserID in the same email.

Which puts me in mind of those financial institutions who wisely encrypt their off-site backup tapes... and include the decrypt keys on the same tape, just so they can find them later.

Anonymous said...

Check out the registration process for the new Liberty Forums... [ahem] Then maybe give Peter a call at Neustar ;^)