Recently, Kim reached out to one of our vendors looking for password support. Here’s what happened and what she has to say:
No matter how complex and secure you force your user passwords to be, they are rendered immediately insecure and at risk the moment you send the user a confirmation email that includes that password in plain text that anyone can read or scrape.
I was getting set up with a new account for productivity software services. I went in and changed my password from the temporary one I was assigned at account creation to one that I could more easily remember.
To my horror, I then received an email confirming this change that contained the password in its entirety in unencrypted text. Not just that, but my username was included in the very same email. This means that if my email account should become compromised for any reason, my username, password and associated email address could be scraped in a millisecond.
Or, in an even more common scenario, if anyone were to gain access to my desk while my computer was unlocked – if, for example, I went to the bathroom and forgot to turn on the screen saver, and someone walking through the office decided to sit down and look at my email – they would then have all of my credentials to log in. If someone intercepted this email in transit, or got it off of one of the dozen servers it pinged off of on its way to me, they would have all of my information without even having to try and compare my password against a rainbow table.
Given that the vast majority of web users reuse the same password and username for literally all of their accounts, if I were among this majority, that person sitting at my desk or who had gained access to my email by any other means would then be able to log into my online bank accounts, online medical records, and anything else I had foolishly (but oh so commonly) reused the same username and password for.
Sending encrypted password confirmations via email is considered an egregiously poor security practice that has been frowned on by computer and data specialists of all kinds since roughly the inception of email. We urge any company who utilizes this unsafe practice to stop this practice immediately. It is hard to underscore exactly how irresponsible it is from a data security perspective but they are putting everyone connected to their server at risk.
We use Evernote’s encryption features and OneTimeSecret.com to save and share passwords. Improve your cyber security and never send passwords through email. It’s too big of a risk!