You’d think that in 2007 developers would know enough not to send someone’s password to them in plain text, for any reason. But no, right after confirming my e-mail address, I get it e-mailed to me along with my username. “Just in case you forgot, here’s the login information for your shiny new account.” Idiots.
Here’s a few things everyone developing an application should know about passwords:
- Never send them anywhere in plain text – what if the person requesting it isn’t the user? And just what if that password is also used for something sensitive?
- You shouldn’t even have access to the password in plain text. Store the things after running them through a salted hash function. And don’t use the same salt for every password.
- When someone wants to reset their password, never let them do it just by answering a secret question. Send the password reset request to their confirmed e-mail address instead.
I probably should send the guilty parties a note to let them know just how unwelcoming their ‘welcome’ e-mail is…
UPDATE: Wow, two services in this small corner of the web that do this. Complain when you see it, people. Any service that can send you your actual password – by mail, over the phone, on-screen, anywhere – isn’t storing it securely.
{ 1 comment… read it below or add one }
Agreed. Password hygiene is bad – and something we pointed out in some research done back in 2001 — back then we found that 40% of all users claimed to use the same password for pretty much all the services they use online. Things are better now as over the last few years sites have been requiring numbers, letters, longer passwords etc. BUT the problem is that if this super-password numbers and all is compromised it could lead to a cascading bad-network-effects cluster****. Listen to Greg, people.