Let’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate. So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.
This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.
Just the other week, a classic case of stupid reminded me of this. An affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!
My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.
Well, the core problem is to use the same password everywhere. I realize that it’s common to do so but you can’t legitimately complain about e-mailed passwords if you are making the more fundamental security mistake first. Two wrongs don’t make a right.
That said, the “correctness” of selected feature is a balance between benefit and risk. For most people e-mailed passwords offer a risk is lower than the convenience. The real issues are 1) risk and benefit are arbitrary and individually defined by the user, not the website creator and 2) no alternative risk/benefit choice is offered by the website creator. In the first case the problem space is ignored and in the second the solution space is ignored.
I’ve used websites where e-mailed passwords were *not* used for password recovery and the chosen alternative was so onerous compared to the value of what I was trying to get done that the *lack* that e-mailed passwords both incensed me and reduced the value of use the website to me.
I agree. I too sign up with one password, wait for the infamous email to show up in my inbox, then go *back* to the site to change it into something else (in the hope that they don’t email the changes to me as well). However I always use a generated password, never an “old standard”
Emailing passwords is bad form, especially if you can’t opt-out of the password being emailed to you.
Thanks, Tara, I agree that emailing passwords is bad form and that an opt-out would be a fine solution (but no one ever listens to me!).
And J, to quibble a bit, I have to say that I don’t necessarily agree that “the core problem is to use the same password everywhere.” The problem I’m talking about (passwords being emailed) would still be the exact same problem even if I picked a brand new password exclusively for my new login. If I care anything for my privacy / security, I don’t want it emailed to me, plain and simple.
I’m completely agree with whatever you wrote in this article. Sending password through email is not a good business practice.
Anyways, I don’t care even a few companies do that because it’s my habit to use a 5 to 8 characters long password during the signup process. No matter if it’s a big company like IBM or a new startup, I do change my password after receiving the account activation email.
Even in the current Web 2.0 era, I’ve experienced a few Web 2.0 startups sending passwords included in their account activation email. They really need to understand that this is the year 2007!
Just thought I’d follow up here. Have a look at this:
http://passpack.wordpress.com/2007/04/06/how-safe-is-passwordsafe/
An online Password Manager that sends you your master password via email. (I know it’s not nice to point a finger like this, but I’m honestly shocked)
Good info, Tara, thanks.