Bad Form: Companies Still Send Passwords via Email

February 11, 2008

MahaloLet’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate.

So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

So who gets picked on today? Search engine Mahalo, which is too bad, really, since they otherwise have plenty going for them. In their own words: “Mahalo is a human-powered search engine that creates organized, comprehensive, and spam free search results for the most popular search terms.”

It’s a fairly useful site and doesn’t require an account for much of what you can get out of it. But there are certain features and functions you do need an account for. So I signed up without hesitation and trusted the site subconsciously by using one of my “real” passwords. When I received the subsequent welcome email, there my password was, staring right back at me.

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.

But even then, I’ve seen some companies send out a “thank you for changing your password” update email which shows both your new and old password. (I’m not sure how Mahalo handles this; I haven’t gotten that far with them.)

What can make it even more of an eye roller is when the situation is thick with irony. I remember last year: An otherwise reputable affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

Now, Jason Calacanis, the founder / CEO behind Mahalo seems like a reasonable guy. I’ve emailed him to ask for this to be changed (or an explanation). I can already give you the generic explanation I’ve heard before from other companies: “If you forget your password, you can just look it up in your email.” Here’s a better solution:

If I forget my password, I email support at mahalo.com (or whatever appropriate address) saying as much. Mahalo then should email me (only to the email registered in my account) a randomly generated temp password that only works for a limited amount of time. But it’s enough to get me into my account and allow me to change my password.

Is it a perfect solution? No. Just the first simple solution that comes to mind (that I’ve seen implemented elsewhere). There are other methods, too, like asking you for your mother’s maiden name / third grade teacher / favorite animal, etc. at the time of account creation. The site then asks you one of those questions if you’ve forgotten your password. Even then, though, it shouldn’t just let you in. Again, it should send a temp password to the email address on file.

I’m no security expert. But I do know that most any solution is better than automated open emailing of passwords.

*Update* Thanks to Jason Calacanis for responding (see comments below) and opening up for discussion via Twitter. For anyone interested, feel free to follow me on Twitter here.

Share These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • bodytext
  • del.icio.us
  • StumbleUpon
  • NewsVine
  • Slashdot
  • Facebook
  • Mixx
  • N4G
  • TwitThis
  • Google
  • Technorati
  • SphereIt

Filed Under: Internet, Privacy, Web 2.0

Viewing 41 Comments

    • ^
    • v
    Absolutely, Bob. I'm surprised at Mahalo, too, in this case. Emailing passwords (especially when it comes in a message titled "here are your login details") is really bad form. Even though most people don't use separate passwords, this practice makes it super-easy to get into all manner of accounts if one's email account is compromised. Add this to the fact that even security-conscious folks tend to make their email passwords far more insecure (low body image?) than their other passwords, and that most web services require little other than email access to change login details, and you've got a perfect storm.
    • ^
    • v
    discussion we had over the Charter Communication's E-mail debacle. How much can we expect from free services? They don't have much incentive to care about their users' privacy.
    • ^
    • v
    Paul, I agree that this goes well beyond Mahalo. I hope this didn't come across as an isolated incident. It's happened to me numerous times.

    Using Mahalo as an example goes back to Kevin's surprise (I think). Like Kevin, I was surprised too. I'm generally more cautious with new sites. But Mahalo looks and feels like it should know better. Plus, it has the credibility boost of being the brainchild of Jason Calacanis (who should know better).

    Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn't as high as I had hoped!
    • ^
    • v
    One more thing, I wanted to respond to this:

    "How much can we expect from free services? They don’t have much incentive to care about their users’ privacy."

    I wonder about this... I'm not sure that being free is as much the problem as is the fact that there's no viable substitute in most cases. It's as if most, if not all, web 2.0 / social networking sites have a secret pact to never be sensitive to users' privacy.

    Because as soon as some start caring, the rest may be expected to as well. But I guess my point is, just because something is free, doesn't necessarily mean there isn't an incentive for it to work well. These companies still need users to keep coming back.
    • ^
    • v
    Frankly, I *hate* services that send me a new password when I forget it and I LOVe services that just send me my password.

    If someone has hacked into your email aren't you already compromised big time?!

    obviously the new password/password reset function is safer, but it's also a pain in the neck. I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?

    Like you said, many services send you a reminder email... is that really so wrong?!

    best j
    • ^
    • v
    Here's something to consider - because I think there are actually two separate pieces to this:

    Should the company send you your password automatically when you sign up, or only if you've forgotten it?
    • ^
    • v
    I'm scared by websites that prove that they keep my passwords unencrypted by sending them to me.
    • ^
    • v
    There is a other issue as well. It also means those sites are storing the passwords in a readable manner, instead of a hash. If their database gets compromised/hacked, the hackers will have a nice list of login names, emails accounts and passwords.
    • ^
    • v
    It's somewhat ironic to complain that some sites don't account for your (and others) poor security practices.

    While I agree that sending a new password in an open email exposes it for all the web to see, there's plenty of responsibility on the user not to re-use important passwords or even keep a password that he uses just for sites without sensitive personal information.

    If you're a Mac user, a program like 1Password makes generating secure passwords right in your browser (and remembering them when it's time to use them!) very easy.
    • ^
    • v
    Jason, thanks for stopping by and responding. Now for my response to your response:

    "If someone has hacked into your email aren’t you already compromised big time?!"

    But the reason someone has hacked into my email could very well be one of your disgruntle employees (or any such employee of any company that sends passwords via email) that has easy access to all customers' passwords (sitting right there on your mail server), many of which are likely to be the same as their passwords for their email accounts which they've also given you!

    "I understand for a bank, but for a bookmarking/social network like Mahalo or StumbleUpon?! Is that overkill?"

    Honestly, I'm a bit tired of the excuse of "anything that doesn't have to do with your money isn't worth protecting." Also, do you really think all your users make sure to keep their bank passwords and social site passwords separate?

    And, by the way, Stumble Upon isn't a fair comparison because the password it sends you when you create an account isn't one you picked. Give me more examples of social networking sites that send out passwords. Digg doesn't. Reddit doesn't.
    • ^
    • v
    Bob says:

    "Apparently, though, the correlation between perceived look/feel/credibility and privacy/security isn’t as high as I had hoped!"

    Why on earth would you think such a correlation exists?!

    You also state that you have a stockpile of "I-don’t-care-if-you-know-my-password password" so why are you not ALWAYS signing up for new services with those passwords, and then changing them. It sounds like a touch of laziness in not wanting to have to go through the steps of changing your password. I also do not know if Mahalo sends you an email with your new password after you change it or not. I will test that out right now, in fact.

    You should never assume that security on the web is as high as you want it to be. Take your best precautions with your information until you are sure of the security stance of the site.
    • ^
    • v
    Domenico Bettinelli,

    The responsibility is shared between user and company, no doubt. But I'm not sure how some users' poor security habits should ever imply that the company shouldn't take it's side of the relationship seriously.
    • ^
    • v
    Michael,

    Points taken. I will be more cautious, of course, since that matters to me. But again, it's a two way relationship. I'll do my part, but I don't think it unreasonable for companies to do their part as well.
    • ^
    • v
    what i like best:

    after i click a 'forgot password' link
    the system sends me an email with an https link
    the page i'm geting to has a form with 2 fields:
    1. new password, 2. repeat new password.

    the link only works once, and has some time lock.
    seems perfect. is it?
    • ^
    • v
    Domenico: You're right, people need to be safer. But companies have an interest in protecting their users (customers, after all!) against their own bad habits. (See: seatbelts, airbacks, antilock brakes, etc - hyperbole, sure, but it pertains). 1Pwd is cool, but not everyone knows about it/can afford it/etc. For companies like Facebook, MySpace, etc, where their users are the single most important asset, failing to protect them in any way possible can lead to serious problems. All it takes is one leak, and the flock will run.

    Besides, this is a programming problem that has been solved for years. No one is asking these companies to build a secure login from scratch. Easier, more cost effective to do it in the beginning than to deal with a problem down the line.
    • ^
    • v
    Yes Jason, having a hardcore security/password policy at Mahalo is probably overkill. You aren't storing much in terms of personal information, so none of that is really necessary. Given the nature of your business, your users are probably of the more computer savvy class as well. However, I would guess that there are a significant number of ignorant people who don't know any better.

    It'd be easy to just ignore these poor souls, but given that they make up a large percentage of the overall web population, it seems appropriate to make any exception.

    Personally, I can't see how clicking a link in your email is any more of a "pain in the neck" than going to your email to retrieve your password. Security isn't easy and it adds complexity. However, people will deal with minor inconveniences if they mean greater security. I would classify having to click a reset link in an email as a minor inconvenience.
    • ^
    • v
    I agree, what Mahalo is doing is NOT a best practice. Web sites should:

    a) Never stored your password in the clear (just a hash of the password than can be used to verify login).
    b) Never send a password in email or display it on any web page.
    c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff).
    d) Provide a "Reset Password" page so people can get a link sent to their email account to re-create a forgotten password.
    • ^
    • v
    I'd like to draw a distinction between /sending/ a plaintext password and /storing/ a plaintext password.

    Mahalo sends the plaintext password in the account confirmation email, which is available to the script at form-submission time. The password is actually stored salted and hashed according to accepted storage practices.

    There is no way for an insider or attacker to recover a password from the system short of brute-forcing one password at a time. The applied salt makes rainbow-table attacks unfeasible.

    The credential storage mechanism is part of the underlying MediaWiki infrastructure (same technology which runs Wikipedia), is open-source, and we have not altered it.

    -- Jim R. Wilson (Software Engineer for Mahalo.com)
    • ^
    • v
    I tend to use a single strong password for stuff involving my money (including my email b/c stuff involving my money goes there). For things like mahalo, etc. I use the same password convention for each site, but not the same password. It makes it easy enough to remember without giving away the store.
    • ^
    • v
    Jim-

    Thanks for the details! You've taken away about 30% of my original concern. :-)
    • ^
    • v
    Thanks Jim. Jason made it sound like you would get your original password send to you when you retrieve it.
    • ^
    • v