• Guest (unregistered)

    The linked Stack Overflow question is interesting: people are asserting that it's not fine to send a password over email (reasonable, as there is no guarantee that the email transmission path is secure), but somehow it is fine to email password reset links. For the former to be insecure, an attacker has to have access to your email at the time the password was sent. In the latter case, any time an attacker can intercept your email, he/she can click to get a password reset link, and voila, they can take over your account.

    The only advantage for the user I can see in the latter case is that the attacker has to change the password to access the account, which could make the user aware of the takeover next time they try to log in, but by then it may already be too late.

  • LCrawford (unregistered)

    The plaintext password is not a risk in this case because it only protects the address associated with the Email, anyone with access to the Email inbox would already have the address from other correspondence. But it could become a risk if the credit card # is stored in the future.

    The real insult could be on a future order, attempting to just re-enter the address and not being allowed to without the password associated with that Email address.

  • Junior of Juniors (unregistered) in reply to LCrawford

    Pardon me, but isn't all e-mail traffic un-encrypted by default? which would mean that if somebody captured the e-mail, they could always send any number of purchases to the user at any time(since the password can't change).

  • RHawkeyed (unregistered)

    Well at least they attempted to protect it. A web-shop I have used a couple times just have you enter your email and it auto fills your full name, address and phone number from your profile without being logged in. At least phone number can be left blank on your profile.

  • Aquaflesh (unregistered)

    What annoys me to no end is the idea that many online retailers have, that you have to create an account with them to buy something. It's almost as if they hate returning customers. Imagine that you enter a physical shop where you've been before years ago, and try to pay for your stuff... the clerk says "sorry, you have to remember your password that you gave us 3 years ago, otherwise you may not buy anything here. Have a nice day!"

  • TheDaveG (unregistered) in reply to Aquaflesh

    Or how about the retailer that won't even let you browse the site unless you create an account?

  • GC (unregistered)

    Troy Hunt raised something even worse with Strawberrynet a while back - email address IS the password; what could possibly go wrong?

  • 🤷 (unregistered)

    "After all, there's only one thing that can beat programmer arrogance in this kind of situation: losing customers."

    Not true. They'll blame management or the sales department. Just like they do with everything else that goes wrong.

  • I dunno LOL ¯\(°_o)/¯ (unregistered)

    Not exactly the same thing, but a year or so ago, I was interested in getting a virtual host. I took a couple of hours comparing to decide which one I wanted to go with, then went to its web site. I was unable to sign up due to what appeared to be browser incompatibility, even after trying three browsers. I sent a moderately annoyed e-mail and got a response the next day. "Uh, yeah, it was just broken, I fixed it."

    What? The one thing which gets you the customers that you need to stay in business (this seemed to be a mostly one-guy-in-charge business), and you either push new code to live without testing, or (more likely, since he apparently didn't know until my e-mail) it has some bug that causes it to fail randomly, without even a cron job to watch and tell you when it dies? And on top of that, you want people to trust you to keep virtual hosts running for them?

    By that time I had already lost the urge, and am still hosting on my static-IP DSL like I have been for years.

  • Quango (unregistered)

    Put them up at http://plaintextoffenders.com/

  • Anonymous (unregistered) in reply to LCrawford

    Holy shit, you need to never be allowed anywhere you can do damage. Email is not secure.

  • Racer (unregistered) in reply to Quango

    Plaintextoffenders is dead. Last update was 2 years ago...

  • Jay (unregistered)

    So the programmer implemented his own system for auto-complete and made it password-based. He then sends the password to you via email in plain text. Sounds like he tried to solve a problem which was already solved, and made it worse by now making it insecure and taking the blame by storing it on his end instead of in the browser on the user's end.

  • Jay (unregistered)

    Please ignore my last sentance. Every online retailer has to store your information on their end somewhere.

  • unixcorn (unregistered)

    While many blame the programmers in these cases, most of the time the programmer is bowing to pressure from the propeller heads in the marketing department. I have argued many times with someone with a marketing degree on how site flow and account creation should work, only to be overridden and forced to do it "wrong".

  • Bitter Like Quinine (unregistered)

    I recently had to send a daily report to a the HQ of a major company. We had to send it via SFTP, and over a VPN tunnel. Access was granted through a public/private key pair. For which they emailed us the private key. This same key granted access to the VPN and the SFTP servers, both QA and production, for multiple accounts.

    One key to rule them all...

  • Hoodia Botrom (unregistered)

    obviously this technical solution sucks pretty hard for many reasons...no argument there in this particular case. but to characterize a class of developers with the statement "these programmers hammer out something easy and straightforward and consider it good enough" is inappropriate. that's exactly what you need to do in many cases and dismissively implying that it's always bad is typical, missing the forest for the trees, code-monkey crap. yeah, let's spend 20 fucking years building some architect astronaut bullshit with every pattern in the GoF book that never makes it to production.

  • Alepoldar (unregistered)

    I actually am one of those programmers who can't think like a non-technical user. I try, but I'm really bad at it. The important thing is that I recognise this, not as something that makes me better than them, but as a handicap that makes me less good at certain parts of my job. Anything I make that a user has to touch, I make very sure someone else tries it before it leaves my dev environment.

    Knowing your own flaws is important.

  • Vic (unregistered)
    1. Two weeks ago I placed an online order on a site where I expected to do additional business. I don 't remember if I was given an option which I selected, but in any case, when the order was complete, I received an email with account information.

    I signed in so that I could change the password, and when I was there thought I'd see what it said about the order status - and the site said I didn't have any orders. They created the account after the order, and the two weren't linked.

    1. Many years ago I was reviewing my passwords, and saw I had one which wasn't very secure. I went to the site but couldn't find the option to change my password, so I sent them a message. The reply I received was that the only way to change my password was to call them on the phone and tell them my new password, which they would enter.
  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to Jay

    TRWTF is that he felt he needed a new unique identifier, when the e-mail address was sufficient for the purpose. And that it was so important that a random person should be expected to remember his random identifier.

  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to unixcorn

    An analogy is if an architect was told by some marketroid PHB to put an unsafe something into a building. The difference is that there would probably be criminal implications if it failed and someone got hurt. So that might be an indication of time to put your resume out. Not quit outright, but definitely start looking.

  • Anonymous (unregistered) in reply to Jay

    They do not, except temporarily to process the order. Most of them seem to think they're some sort of information warehouse, however.

  • DCL (unregistered)

    "Rather than focus on what would make the software more usable, they program what is easiest for the computer to do, and call it a day." The concept that the programmer's job is to make life easier for the user, not for the programmer, seems alien to a fair number of programmers. I've had this argument countless times in teams where I've worked in the past.

  • Russ (unregistered)

    Most programmers are not end-users of their software, so don't think like end-users. The outright goofiness of the security of the example site could easily be addressed if someone in management had the intelligence to realize that one person's idea of doing things might not be the right way of doing things. The problem is solved when management takes responsibility and reviews the work of the programmer, like he or she is supposed to do.

  • LzzrdBorth (unregistered) in reply to Aquaflesh

    Imagine that you enter a physical shop where you've been before years ago, and try to pay for your stuff... the clerk says "sorry, you have to remember your >>password that you gave us 3 years ago, otherwise you may not buy anything here. Have a nice day!" Wait, wasn't that Radio Shack? Oh no, it just felt like it due to the Spanish Inquisition

  • Really (unregistered)

    I once had a contract with a giant multi-national corporation that is a household name. I had to devise more passwords during my first week there than in my previous decades of work put together, mostly for internal things. One of them was a minimum of 12 characters and it wanted at least one of uppercase, lowercase, number, and special character. Consecutive digits were disallowed, as were common dictionary words. After creating it, a checkbox asked me if I wanted my password emailed to me. Curious, I opted in. Yes, it was emailed to me in cleartext.

    I'm imagining one part of that project demanded high security on the password, and then a higher level of management got frustrated with the complexity and demanded the emailing "feature".

  • Dave (unregistered) in reply to unixcorn

    I worked somewhere passwords were stored in plaintext. I pointed out that letting the frontline service drones tell people their forgotten password was publicising an embarrassing security error. Their solution? Retrain the service desk to never admit they could see the users' plaintext passwords...

  • ZZartin (unregistered)

    Hm... the bigger issue is that there's no way to modify the account after it's created. It's not uncommon at all for sites to create an account and send a OTP as part of order creation, but usually it's just that and you can update the information later.

  • Joe (unregistered) in reply to Aquaflesh

    radio shack wanted your phone number to buy batteries

  • Oliver Jones (google) in reply to Guest

    Password reset links--when correctly implemented--expire promptly if unused, and become invalid immediately upon use.

  • LCrawford (unregistered) in reply to Anonymous

    Holy shit, you need to never be allowed anywhere you can do damage. Email is not secure.

    That's exactly what I was saying - email is not secure they could get access to the account and address. But as noted by '@Junior of Juniors' above, all the damage they could do is order random junk in the future sent to his address - and the prankster would have to pay for it if the credit card isn't stored.

    So the auto emailed password is not a big deal in 99.99% of the cases.

  • I Am A Robot (unregistered)

    My goto story about password security is a place I worked at 20 years ago. They took security seriously - there was no Internet access, no floppy drives, or CDs, and your login password was randomly generated every month. Which they printed and left in an envelope on your desk.

  • siciac (unregistered) in reply to Russ

    The problem is solved when management takes responsibility and reviews the work of the programmer, like he or she is supposed to do.

    Everyone needs to look to his left and right, otherwise you wind up with everyone pointing fingers at each other.

    Security is hard, and every team has to relearn all the basics. And that means you need to get used to teaching people. Tech support routinely gets panicky emails or angry customers swearing to never shop there, so Rick's probably didn't make his case.

  • (nodebb)

    Yes, many of us can't think like "normal users". For me, I use the "what would mom do?". While she is pretty up to date, she HAS seen a bunch. While she now doesn't use a computer, she did a few years ago. She now has a pretty valid excuse for bypassing the computer, as she is 99 years old.

    No, I don't think she got sucked into "where is the ANY key?", but I have run across others who don't understand the difference between coffee cup holders and CD trays. We would call them "dumber than cheese", which was unkind to cheese most of the time.

  • Former ISP Customer (unregistered)

    There is an ISP in Australia called 'Skymesh'. Its one of the more popular ones with gamers and people who want low latency internet, but is otherwise quite small.

    When you set up an account with them, they generate a random password for you and provide it in email. This is no problem, and has to happen, because if you're setting up your own modem you need to know your password. In the email they will encourage you to change your password.

    This is where it gets ugly.

    So you change your password to one you prefer and are going to use on the modem. This is all before the modem has arrived. (Pro active and all that). The modem arrives, you set it up, and connect to their internet. I can't remember the exact sequence of events, but I believe once you go online and they successfully register you've been online they send a sort of 'congratulations' email. In this email is a reminder of the password you've set- in plain text of course.

    So if you're ever going to use skymesh, just use their default password.

  • remy_finite (unregistered)

    I stood in line behind a guy who threw his burger at a poor high school girl just trying to work there.

    More than likely because a bunch of degenerate criminals sold him drugs!

    I'm still living that one down.

    Sorry, I know all the tricks. I wrote most of them!

    Let me tell you all what my psychologist told my Kindergarden teacher.

    Stop picking on Steve, and the class will flourish.

    This started long before I was born, out of my control, and I'm actually trying to be good.

    You hurt yourself more, much more, please.

    What do you want.

  • King of kings (unregistered) in reply to I Am A Robot

    30 years ago, in my first IT job one of the things I had to do was to think up those “randomly generated” passwords, write then on paper next to the user names and type them into the system. I then wrote out the details on the letters, put them in envelopes and left them on desks. This was once a month, on the last Friday (payday) after 5 pm. Why? Because the corporate internal audit team said passwords couldn’t last longer than 1 month and the system didn’t have a facility to allow users to change their own passwords.

  • Drake Christensen (unregistered)

    I recently co-signed on my mom's house refinance. Chase has a "secure document" site they insist on using during the process. The password length requirement is between 6 and 8 characters. I sent them an email pointing out how ridiculous that is in today's environment. Never got a response.

  • Guest (unregistered) in reply to Oliver Jones

    Password reset links--when correctly implemented--expire promptly if unused, and become invalid immediately upon use.

    And what's to stop the attacker requesting a new password reset link? If the attacker can read your old email, they can probably read your new email too, unless they've stolen your backup tapes. But these days most people keep their mail in the cloud and don't back it up themselves.

  • (nodebb) in reply to unixcorn

    I was developing a user service portal for an insurance investigation company – their customers would log in to access the databases and stuff the company had accumulated. For a long time the company rep was insisting that the login process should be as simple as possible. Therefore, it shall involved entering a four-digit PIN.

    That's it. Not a username/password combination. No second factor. One field, four digits, and you're logged in.

    The most upsetting part of that particular incident was the way I finally managed to convince the rep it was a bad idea: it would mean the portal could never have more than 10,000 users.

  • 🤷 (unregistered)

    🤷 wrote: "[Programmers]'ll blame management or the sales department. Just like they do with everything else that goes wrong." unixcorn wrote: "most of the time the programmer is bowing to pressure from the propeller heads in the marketing department."

    Thanks for proving my point.

  • bvs23bkv33 (unregistered)

    programmers who can not seem to think? it is like programmers who can not even imitate thinking?

  • WTFGuy (unregistered) in reply to I dunno LOL ¯\(°_o)/¯

    This is really the best parsing of the situation. The programmer labeled this generated string he sent in the email as a "password". It wasn't/isn't. It's simply an assigned user ID.

  • nasch (unregistered)

    "The concept that the programmer's job is to make life easier for the user, not for the programmer, seems alien to a fair number of programmers. I've had this argument countless times in teams where I've worked in the past."

    I've even had the argument with someone who I consider a good developer. He wanted to do what was easy for us even though it would lead to a bad user experience.

  • (nodebb) in reply to Former ISP Customer

    So if you're ever going to use skymesh, just use their default password.

    Back in the olden days of (Telstra Wholesale) ADSL I used to use Swiftel as an ISP. Say your phone number was (02) 7010 1234. Your DSL username was [email protected]. And your password was PWD0270101234T. This could not be changed, initially. I do remember a feature that was introduced where you could change your password. Note this was only for your PPP connection: the important username and password used for account access was separate.

  • Dave (unregistered)

    I quite regularly encounter (usually but not always) small retailers who create accounts on your behalf. Often it's when you select "check out as guest" but their system requires an account regardless. So they create the account anyway but don't send your password. Then next time they refuse to let you check out as a guest because the behind the scenes process fails as the account already exists so you end up having to try and reset the password for an account you never created in the first place.

  • James (unregistered) in reply to Zemm

    Plusnet in the UK force you to use the same password for PPP and your web portal/account access.

    I left.

  • Dr. λ the Creator of Variables, Binder of Variables, Applicator of Terms and β-Converter of Redexes (unregistered)

    I actually use a password manager so for me this shortcut would have been quite handy. Asking my password manager for a password goes faster then filling in my address.

    SO THE SYSTEM WAS GOOD

  • Dr. λ the Creator of Variables, Binder of Variables, Applicator of Terms and β-Converter of Redexes (unregistered) in reply to WTFGuy

    YOU ARE RIGHT IT WAS USER ID NOT PASSWORD SENDING IT ON EMAIL IS OK BUT MY PREVIOUS POST HOLDS SINCE PASSWORD MANAGER ALSO REMEMBER USER ID OK

Leave a comment on “The Unbidden Password”

Log In or post as a guest

Replying to comment #:

« Return to Article