Last month I picked on search engine Mahalo as an example of a company emailing its customers passwords. I mentioned how having your password floating around openly on mail servers can defeat the purpose of having a password in the first place. Mahalo’s founder and CEO, Jason Calacanis, joined the discussion and some good thoughts were shared from both sides of the issue.
Today I found out that MySpace is on the list of companies sending out passwords through email. I finally signed up (that could be a separate conversation, why I’ve ignored MySpace till now) and promptly got a welcome email with my password staring back at me. MySpace, though, takes it one step further and adds insult to injury by saying “Keep it secret. Keep it safe.” right below my visible password. As if I had a choice at that point, MySpace, you just made it less secret and less safe.
But, of course, I used a I-don’t-care-as-much-if-others-know password that I wouldn’t use for other “important” sites. And I’m sure that the hundreds of millions of MySpace users do the same (yeah, right). In all seriousness, though, I can see how certain sites don’t need the same level of security as others. As an example, there is an obvious difference between MySpace and your bank in terms of security.
In reality, though, there’s a wide spectrum of sites and services protected by passwords. It’s not black and white with only “banks” on the one side and “social networking” on the other. So who should decide which service deserves what level of protection? Well, in this case, it’s my opinion that it’s in the best interest of any company protecting your information with a password to avoid sending that password insecurely over email.
But assuming a world where there will always be companies that send passwords in emails, the very least they could do is tell you this before you decide on your password. That way, you’d know to what degree a company values the protection of your information before you decide on what password to give them.
One very simple implementation of this is that of a company showing you your password as you choose it. You’d then know that this should be a less important type of password. In fact, I’m not sure why asterisks are necessary to “hide” your password as you’re typing it the first time if 30 seconds later the same password previously hidden by asterisks is visible on screen in your email.
However the “less secure” message is conveyed before you create your password, is it too much to ask for this kind of disclosure from companies?
Thank you. This is a question which I often ask myself. Why do I receive new/reset/ forgotten passwords by e-mail? And I think this is why people often confuse certain accounts with being ‘safe enough to store sensitive info’.
Considering it may be a bit difficult to get all the big guys to change their ways, we may have to work from the bottom up. Basically, when you get your password via e-mail, change it immediately in a safe place such as a password manager (PassPack) that generates strong and unique passwords, encrypts and then stores them in such a way that only you have access to them:
http://tinyurl.com/2rtbzw
And keep in mind that re-using passwords is never a good idea.
Louise Vinciguerra (PassPack)
Thanks for the tip, Louise. I keep meaning to try out and review PassPack. Maybe I’ll get on it and actually start being more responsible with my passwords. Say hi to Tara.
Hi Bob!
myspace safes to keep my stuff in
Hey bob.
i have sent my myspace password to my email account and it has showed up
What do i do?
thx
becca
Thanks for sharing
image hosting for myspace