Home > FAIL > Dear plaintext-email password people,

Dear plaintext-email password people,

August 11th, 2009

A while back I wrote this on another blog.

An open letter to websites that require your registration, then email you your details, including the password, in plaintext.

Dear plaintext-email password people,

You’ve got to be fucking kidding me.

Firstly, let’s pretend you have some kind of technology that allows you to safely store passwords in plaintext. Let’s further pretend that there’s a way to safely transmit and store those password through email. Pretending that, why are you sending people the password they just set 30 seconds ago? Do you think they’ve forgotten already? Do you think they blindly mash the keyboard, in order to keep their password SO SECRET that not even THEY know it? Did you not bother to code a “I forgot my password” function?

Secondly, let’s merely pretend you have the magic Safe Storage of plaintext Passwords technology. Why are you sending plaintext passwords through email? Suppose a Bad Guy gets into the user’s email account, whether it’s the user’s fault [poor password, unattended session, insecure environment] or not [server hack, vulnerable authentication method, session hijacking]. Thanks to the miracle of YOUR technology, all the Bad Guy needs to do is search for “Password:” and now he has your user’s account details, along with the details for any other crappy sites just like yours. If the user doesn’t choose a different password for every account (and who does? I don’t even do that, and here I am writing obscene security rants), the Bad Guy now has a nice user/pass pair to try for more significant services than your crappy site [banks, paypal, etc.]. Thanks for doing your part to deploy Vulnerability In Depth!

Thirdly, let’s abandon all pretense and face it: there’s no reason for you to store plaintext passwords in your crappy database. I’ll let you in on a secret: thanks to time travel, I’ve come up with a more secure way to do things! I’ve traveled back in time to the 1970s and brought back a magical pile of voodoo called password hashing. If you want to go nuts, you might even consider salt! [Haha, I do not refer to food in the previous sentence. An explanation of “salt” is here, and an explanation of “nuts” is that you’re retarded.]

Fourthly, go to hell. If you actually wrote that code, fuck you. Put some forethought into it. If you merely use that code, fuck you. Don’t make your users pay for someone else’s stupid mistake.


Categories: FAIL
  1. August 26th, 2009 at 11:38 | #1

    You’re damn right. Every time I get my password emailed to me in plain text I immediately hit Google to see if it winds anyone else up as much as it winds me up. Reading rants like this helps me to calm down, but could anything more constructive be done about it?

    Maybe… I’m thinking of compiling a blacklist of sites that do it and trying to get a campaign together to make it stop. Maybe companies can be shamed into thinking a little bit about their customers’ security.

Comments are closed.