Bad Form: Companies Still Send Passwords via Email

MahaloLet’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate.

So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

So who gets picked on today? Search engine Mahalo, which is too bad, really, since they otherwise have plenty going for them. In their own words: “Mahalo is a human-powered search engine that creates organized, comprehensive, and spam free search results for the most popular search terms.”

It’s a fairly useful site and doesn’t require an account for much of what you can get out of it. But there are certain features and functions you do need an account for. So I signed up without hesitation and trusted the site subconsciously by using one of my “real” passwords. When I received the subsequent welcome email, there my password was, staring right back at me.

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.

But even then, I’ve seen some companies send out a “thank you for changing your password” update email which shows both your new and old password. (I’m not sure how Mahalo handles this; I haven’t gotten that far with them.)

What can make it even more of an eye roller is when the situation is thick with irony. I remember last year: An otherwise reputable affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

Now, Jason Calacanis, the founder / CEO behind Mahalo seems like a reasonable guy. I’ve emailed him to ask for this to be changed (or an explanation). I can already give you the generic explanation I’ve heard before from other companies: “If you forget your password, you can just look it up in your email.” Here’s a better solution:

If I forget my password, I email support at mahalo.com (or whatever appropriate address) saying as much. Mahalo then should email me (only to the email registered in my account) a randomly generated temp password that only works for a limited amount of time. But it’s enough to get me into my account and allow me to change my password.

Is it a perfect solution? No. Just the first simple solution that comes to mind (that I’ve seen implemented elsewhere). There are other methods, too, like asking you for your mother’s maiden name / third grade teacher / favorite animal, etc. at the time of account creation. The site then asks you one of those questions if you’ve forgotten your password. Even then, though, it shouldn’t just let you in. Again, it should send a temp password to the email address on file.

I’m no security expert. But I do know that most any solution is better than automated open emailing of passwords.

*Update* Thanks to Jason Calacanis for responding (see comments below) and opening up for discussion via Twitter. For anyone interested, feel free to follow me on Twitter here.

Be Sociable, Share!
  • http://blog.frivolousmotion.com Kevin M. Keating

    Absolutely, Bob. I’m surprised at Mahalo, too, in this case. Emailing passwords (especially when it comes in a message titled “here are your login details”) is really bad form. Even though most people don’t use separate passwords, this practice makes it super-easy to get into all manner of accounts if one’s email account is compromised. Add this to the fact that even security-conscious folks tend to make their email passwords far more insecure (low body image?) than their other passwords, and that most web services require little other than email access to change login details, and you’ve got a perfect storm.

  • Paul Ellis

    It really should be emphasized that this happens all over the web, not just a Mahalo. It is a huge problem. Especially with e-mail storage capacities making truly deleting e-mail a thing of the past. How many passwords could be found in your Gmail account just by searching for password? How many people tell Gmail/Yahoo/Hotmail/etc to remember their username and password?

    This all goes back to the same discussion we had over the Charter Communication’s E-mail debacle. How much can we expect from free services? They don’t have much incentive to care about their users’ privacy.

  • http://www.techconsumer.com Bob Caswell

    Paul, I agree that this goes well beyond Mahalo. I hope this didn’t come across as an isolated incident. It’s happened to me numerous times.

    Using Mahalo as an example goes back to Kevin’s surprise (I think). Like Kevin, I was surprised too. I’m generally more cautious with new sites. But Mahalo looks and feels like it should know better. Plus, it has the credibility boost of being the brainchild of Jason Calacanis (who should know better).

    Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn’t as high as I had hoped!

  • http://www.techconsumer.com Bob Caswell

    One more thing, I wanted to respond to this:

    “How much can we expect from free services? They don’t have much incentive to care about their users’ privacy.”

    I wonder about this… I’m not sure that being free is as much the problem as is the fact that there’s no viable substitute in most cases. It’s as if most, if not all, web 2.0 / social networking sites have a secret pact to never be sensitive to users’ privacy.

    Because as soon as some start caring, the rest may be expected to as well. But I guess my point is, just because something is free, doesn’t necessarily mean there isn’t an incentive for it to work well. These companies still need users to keep coming back.

  • http://www.calacanis.com Jason

    Frankly, I *hate* services that send me a new password when I forget it and I LOVe services that just send me my password.

    If someone has hacked into your email aren’t you already compromised big time?!

    obviously the new password/password reset function is safer, but it’s also a pain in the neck. I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?

    Like you said, many services send you a reminder email… is that really so wrong?!

    best j

  • http://blog.frivolousmotion.com Kevin M. Keating

    Here’s something to consider – because I think there are actually two separate pieces to this:

    Should the company send you your password automatically when you sign up, or only if you’ve forgotten it?

  • http://vrypan.net/ vrypan

    I’m scared by websites that prove that they keep my passwords unencrypted by sending them to me.

  • http://www.thevesuviusgroup.com Frans

    There is a other issue as well. It also means those sites are storing the passwords in a readable manner, instead of a hash. If their database gets compromised/hacked, the hackers will have a nice list of login names, emails accounts and passwords.

  • http://www.bettnet.com Domenico Bettinelli

    It’s somewhat ironic to complain that some sites don’t account for your (and others) poor security practices.

    While I agree that sending a new password in an open email exposes it for all the web to see, there’s plenty of responsibility on the user not to re-use important passwords or even keep a password that he uses just for sites without sensitive personal information.

    If you’re a Mac user, a program like 1Password makes generating secure passwords right in your browser (and remembering them when it’s time to use them!) very easy.

  • http://www.techconsumer.com Bob Caswell

    Jason, thanks for stopping by and responding. Now for my response to your response:

    “If someone has hacked into your email aren’t you already compromised big time?!”

    But the reason someone has hacked into my email could very well be one of your disgruntle employees (or any such employee of any company that sends passwords via email) that has easy access to all customers’ passwords (sitting right there on your mail server), many of which are likely to be the same as their passwords for their email accounts which they’ve also given you!

    “I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?”

    Honestly, I’m a bit tired of the excuse of “anything that doesn’t have to do with your money isn’t worth protecting.” Also, do you really think all your users make sure to keep their bank passwords and social site passwords separate?

    And, by the way, Stumble Upon isn’t a fair comparison because the password it sends you when you create an account isn’t one you picked. Give me more examples of social networking sites that send out passwords. Digg doesn’t. Reddit doesn’t.

  • http://blog.1manit.net Michael

    Bob says:

    “Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn’t as high as I had hoped!”

    Why on earth would you think such a correlation exists?!

    You also state that you have a stockpile of “I-don’t-care-if-you-know-my-password password” so why are you not ALWAYS signing up for new services with those passwords, and then changing them. It sounds like a touch of laziness in not wanting to have to go through the steps of changing your password. I also do not know if Mahalo sends you an email with your new password after you change it or not. I will test that out right now, in fact.

    You should never assume that security on the web is as high as you want it to be. Take your best precautions with your information until you are sure of the security stance of the site.

  • http://www.techconsumer.com Bob Caswell

    Domenico Bettinelli,

    The responsibility is shared between user and company, no doubt. But I’m not sure how some users’ poor security habits should ever imply that the company shouldn’t take it’s side of the relationship seriously.

  • http://www.techconsumer.com Bob Caswell

    Michael,

    Points taken. I will be more cautious, of course, since that matters to me. But again, it’s a two way relationship. I’ll do my part, but I don’t think it unreasonable for companies to do their part as well.

  • kayzaar

    what i like best:

    after i click a ‘forgot password’ link
    the system sends me an email with an https link
    the page i’m geting to has a form with 2 fields:
    1. new password, 2. repeat new password.

    the link only works once, and has some time lock.
    seems perfect. is it?

  • http://blog.frivolousmotion.com Kevin M. Keating

    Domenico: You’re right, people need to be safer. But companies have an interest in protecting their users (customers, after all!) against their own bad habits. (See: seatbelts, airbacks, antilock brakes, etc – hyperbole, sure, but it pertains). 1Pwd is cool, but not everyone knows about it/can afford it/etc. For companies like Facebook, MySpace, etc, where their users are the single most important asset, failing to protect them in any way possible can lead to serious problems. All it takes is one leak, and the flock will run.

    Besides, this is a programming problem that has been solved for years. No one is asking these companies to build a secure login from scratch. Easier, more cost effective to do it in the beginning than to deal with a problem down the line.

  • http://jrmehle.com Jared

    Yes Jason, having a hardcore security/password policy at Mahalo is probably overkill. You aren’t storing much in terms of personal information, so none of that is really necessary. Given the nature of your business, your users are probably of the more computer savvy class as well. However, I would guess that there are a significant number of ignorant people who don’t know any better.

    It’d be easy to just ignore these poor souls, but given that they make up a large percentage of the overall web population, it seems appropriate to make any exception.

    Personally, I can’t see how clicking a link in your email is any more of a “pain in the neck” than going to your email to retrieve your password. Security isn’t easy and it adds complexity. However, people will deal with minor inconveniences if they mean greater security. I would classify having to click a reset link in an email as a minor inconvenience.

  • http://faves.com/users/mike Mike Koss

    I agree, what Mahalo is doing is NOT a best practice. Web sites should:

    a) Never stored your password in the clear (just a hash of the password than can be used to verify login).
    b) Never send a password in email or display it on any web page.
    c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).
    d) Provide a “Reset Password” page so people can get a link sent to their email account to re-create a forgotten password.

  • http://jimbojw.com/wiki/index.php?title=Blog Jim R. Wilson

    I’d like to draw a distinction between /sending/ a plaintext password and /storing/ a plaintext password.

    Mahalo sends the plaintext password in the account confirmation email, which is available to the script at form-submission time. The password is actually stored salted and hashed according to accepted storage practices.

    There is no way for an insider or attacker to recover a password from the system short of brute-forcing one password at a time. The applied salt makes rainbow-table attacks unfeasible.

    The credential storage mechanism is part of the underlying MediaWiki infrastructure (same technology which runs Wikipedia), is open-source, and we have not altered it.

    – Jim R. Wilson (Software Engineer for Mahalo.com)

  • David

    I tend to use a single strong password for stuff involving my money (including my email b/c stuff involving my money goes there). For things like mahalo, etc. I use the same password convention for each site, but not the same password. It makes it easy enough to remember without giving away the store.

  • http://www.techconsumer.com Bob Caswell

    Jim-

    Thanks for the details! You’ve taken away about 30% of my original concern. :-)

  • http://www.thevesuviusgroup.com Frans

    Thanks Jim. Jason made it sound like you would get your original password send to you when you retrieve it.

  • http://www.techconsumer.com Bob Caswell

    Frans,

    Not sure if we’re talking about the same thing, but I wanted to clarify that Mahalo does still send your original password to you in an email right after you create an account. So your password is still open / unencrypted / in your email / on multiple mail servers, etc. Jim is simply saying that Mahalo doesn’t store the open versions of passwords, but they still send them.

  • http://www.commoneo.com John

    I have to agree with David. The best is to use the same simple password for all those sites you have nothing confidential on. For the rest, I use a combination of letter, numbers and special characters.

  • otto

    I think it is a valid policy as long as the user is made aware.

    Anyone who reuses passwords, even if it is just a password for random trash sites is at risk here of way more exposure than simply the login details to some search engine. If they are told when they enter the password that it will be sent to them in a plain text email, they can make the choice to use a different password and can fully understand how insecure it is (even if they SSL to their mailserver, who knows where else that email goes).

    That being said, it is not exactly smart to reuse the same password on any random sites as they could easily have the passwords stored in an insecure method or in a place readable by employees. I could even foresee an elaborate phishing scheme where instead of a fake site that they want to steal credentials for, they just create what looks like a cool new version of something. Imagine some myspace phishers putting up some screenshot mock ups and getting people to enter a username/email/password in order to join the upcoming open beta of the “next big social networking site”

  • http://myspace.com/freshcutsalads fresh

    Anyone reading this who hosts at dreamhost – I just put in this feature request. You can go to your web panel and vote for it.

  • http://llbbl.com Logan

    Sending passwords in plaintext via email is always a bad thing to do, even if its only during signup. Mahalo and others should know better!

    General Rules
    a) Passwords hash + salt in the database
    b) Never send a password in email or display it on any web page.
    c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).

    Proper way to do password resets
    a) Forgot Password with Email field
    b) Link is generated sent to email address, which expires within a set amount of time and includes a randomly generated string
    c) Clicking on link displays a form that allows user to change their password

    (thanks mike koss, I edited and added to yours)

  • Mangamuri

    Even the popular MySpace website sends the password in thank you e-mail !! That’s a good piece of work.

  • Frank

    Uh Logan, this is not a proper way to do password resets. It is vulnerable to an e-mail account breach or to sniffing of the e-mail while it is being sent, which are most of the reasons passwords via e-mail were considered bad. (Breach limited to old e-mails being the only missing reason.)

  • First Poster

    > Is it a perfect solution? No.

    Where does this contruct come from? I see it fairly often recently. Do americans learn this at school? This construct usually appears somewhere in the middle of an essay. “Is it blabla? Yes” “Is it blablabla? no”. Freaky as the FED.

  • Pingback: Business Roadmap » Businesses sending passwords over net

  • Danijel

    Here’s my solution:

    When you create a password the system makes a hash (using md5 or sth) and stores that in its database. Then when you log-in, the system calculates the same has of the password you entered and compares it to the hash in the database.

    The good thing about this solution is that noone, except the user, will know the password.

  • Pat

    I prefer the convenience of getting my old password sent to me… I guess if you feel more secure with another method then you also don’t mind having your nail clippers seized at the airport and having to carry small amounts of liquid in clear plastic baggies when you fly.

    It’s about usability, I suppose someone could randomly pick off an email coming to me with my password in it, but if they can hack into my circuit city account or post under my name at some forum… who cares?

    Banks/credit card companies have to be more secure (and are)… that’s all I care about!

  • Derek

    I really hate it when ANY company does this. Only last week I ordered a product from http://www.devexpress.com/ and they did this very thing! Not only that but they do not allow you to purchase any of their products using public email accounts i.e. gmail/yahoo etc. Ludicrous I tell you ludicrous!

  • Pingback: Web Mysteries Answered » Blog Archive » How much security is too much security?

  • noyb

    I work in IT security and it is our policy that it is ok to email passwords as long as they are seperate from which system they log you in to and your username for that system. Keep those 3 pieces seperate and one alone will get you nothing.

  • http://www.owasp.org/index.php/Guide_to_Authentication Phil

    Check the OWASP Guide’s Authentication chapter for a long list of best practices. For password resets:

    Send a message to the user explaining that someone has triggered the password reset functionality. Ask them if they didn’t ask for the reset to report the incident. If they did trigger it, provide a short cryptographically unique time limited token ready for cut and paste. Do not provide a hyperlink as this is against phishing best practices and will make scamming users easier over time. This value should then be entered into the application which is waiting for the token. Check that the token has not expired and it is valid for that user account. Ask the user to change their password right there. If they are successful, send a follow up e-mail to the user and to the admin. Log everything.

    All-in-all a good chapter. The problem with best practices lists is that different websites will require different levels of security, so not everything applies to everyone, but some simple things like “never send passwords in cleartext” should apply to everyone.

  • Robert

    What a sham to knowingly use identical passwords across the net and then blame someone else for what you feel is poor procedure. I won’t defend their procedure but I would suggest you not continuing known bad practices and blaming others.

  • Peter

    Frankly I think it is just stupid for a website to email me my account information and password right after I signed up. Why would I need that? I just signed up 5 minutes ago! Will I forget my password in those 5 minutes?

    I too have been shocked when I receive an email with my password in plain text! While the chance of it being intercepted may be small, why take that chance?

    I disagree with Jason. I would much prefer to receive a “reset your password” link if I forget it, than to have my account information mailed to me immediately or later.

  • bobby scott

    I don’t remember any passwords — I remember one RULE by which a robust password for a given site is to be generated using the domain name as input.

    e.g.: take the word truck, append the number of letters in the domain name, then the second letter from the domain name capitalized, and then the second from last letter.

    for ebay.com, the resultant password would be

    truck4Ba

    It does not solve the case of a single site’s stupidity, but isolates each site so that even a compromised password can only be used at a single site and anyone knowing one password will have little insight into how to impersonate me elsewhere. And yet, my memorization burden remains fixed.

    The last wrinkle is that I use a common password for all sites where my identity is not worthy of great protection, such as a BBS

  • http://7283771 6087079

    A friend of mine recently created this site to bring this issue to light:

    http://plaintextshame.com/

  • http://www.techconsumer.com Bob Caswell

    6087079, nice site, but a little short and missing Mahalo. :-)

  • Tiger

    “Here’s a better solution: … crappy solution snipped …”

    “I’m no security expert.”

    Meaning I’m on security expert, but I’m not afraid to pretend like one on my blog.

    And give users equally crappy advice.

    Do you have any kettles laying around the house you call black?

  • Aaron Wallentine

    I agree that sending passwords in plaintext over email is a widespread insecure practice. All it takes is someone with a packet sniffer on a public network to see anything sent across. They can filter for packets that include the word “password” which password emails often do.

    The issue is not whether someone has “hacked into your email”; I don’t need your email password to sniff your email traffic being passed in plaintext on a public network.

    And as for reusing passwords, I used to do this, but it’s a bad practice. Now I use a password safe. There are many out there, but I use KeePass (keepass.sourceforge.net) – it’s Open Source, highly secure, portable, and cross platform. (The main program is for windows, but there are compatible versions which use the same data file format for Linux and Mac OS X). It includes a built-in password generator, so I generate a new random secure password for each new site and save it in KeePass. I keep KeePass as a portable app on my USB Flash (Thumb) Drive that I keep with me, so I carry it wherever I need it. You use a master password to open up the encrypted password database in KeePass. So I only have to remember one password, and since it’s only one, it can be a strong one.

    And when I open it at home, I use a batch file that automatically makes a copy onto my hard drive, so I always have a backup in case my thumb drive gets lost or destroyed (which happened to me once – I accidentally destroyed one).

    Use a unique, strong password for every site! It’s a no-brainer if you have the right tools.

    So if one of my passwords does get compromised by being sent in plaintext over the network, at least it’s a unique password that has nothing to do with any of my other passwords.

    I’m still trying to come up with a solution to sending passwords over email. Really, I just need to finally figure out how to encrypt my email with PGP. That doesn’t solve sites emailing me my password, but I often find I need to send passwords to other people, and that solves that problem.

  • Pingback: MySpace: Emails My Password But Says “Keep It Secret. Keep It Safe.” | TechConsumer

  • Pingback: Check your email for your password » BlogMe

  • Pingback: Buxr: Sharing Good Deals & Getting Rewarded for It | TechConsumer

  • Pingback: Bad Form: Companies Still Send Passwords via Email | TechConsumer

  • Pingback: MySpace: Emails My Password But Says “Keep It Secret. Keep It Safe.” | Bob Caswell