Last month I picked on search engine Mahalo as an example of a company emailing its customers passwords. I mentioned how having your password floating around openly on mail servers can defeat the purpose of having a password in the first place. Mahalo’s founder and CEO, Jason Calacanis, joined the discussion and some good thoughts were shared from both sides of the issue.
Today I found out that MySpace is on the list of companies sending out passwords through email. I finally signed up (that could be a separate conversation, why I’ve ignored MySpace till now) and promptly got a welcome email with my password staring back at me. MySpace, though, takes it one step further and adds insult to injury by saying “Keep it secret. Keep it safe.” right below my visible password. As if I had a choice at that point, MySpace, you just made it less secret and less safe.
But, of course, I used a I-don’t-care-as-much-if-others-know password that I wouldn’t use for other “important” sites. And I’m sure that the hundreds of millions of MySpace users do the same (yeah, right). In all seriousness, though, I can see how certain sites don’t need the same level of security as others. As an example, there is an obvious difference between MySpace and your bank in terms of security.
In reality, though, there’s a wide spectrum of sites and services protected by passwords. It’s not black and white with only “banks” on the one side and “social networking” on the other. So who should decide which service deserves what level of protection? Well, in this case, it’s my opinion that it’s in the best interest of any company protecting your information with a password to avoid sending that password insecurely over email.
But assuming a world where there will always be companies that send passwords in emails, the very least they could do is tell you this before you decide on your password. That way, you’d know to what degree a company values the protection of your information before you decide on what password to give them.
One very simple implementation of this is that of a company showing you your password as you choose it. You’d then know that this should be a less important type of password. In fact, I’m not sure why asterisks are necessary to “hide” your password as you’re typing it the first time if 30 seconds later the same password previously hidden by asterisks is visible on screen in your email.
However the “less secure” message is conveyed before you create your password, is it too much to ask for this kind of disclosure from companies?