Dangerous practices -- sending passwords

[thibaulthalpern]

Just a word of warning to those of you who may be registering an account with BooksOnBoard or eBooks. They have this horrendous practice whereby they send you a confirmation email with the password you registered your account in. I have emailed both companies to alert them of the problem and to ask them to remedy the problem.

As many of you know, email is an insecure form of electronic transmission (unless you are using signed email or PGP, but 99% of email traffic is not using those forms of security) and companies should not be emailing you your passwords.

I'm surprised that in this day and age such "revolutionary" companies are still making mistakes like this that one would see in the early years of public usage of the internet circa 1993.

[HarryT]

Quote:

Originally Posted by thibaulthalpern

Just a word of warning to those of you who may be registering an account with BooksOnBoard or eBooks. They have this horrendous practice whereby they send you a confirmation email with the password you registered your account in. I have emailed both companies to alert them of the problem and to ask them to remedy the problem.

As many of you know, email is an insecure form of electronic transmission (unless you are using signed email or PGP, but 99% of email traffic is not using those forms of security) and companies should not be emailing you your passwords.

I'm surprised that in this day and age such "revolutionary" companies are still making mistakes like this that one would see in the early years of public usage of the internet circa 1993.

This is an entirely standard practice - indeed, I struggle to think of any site which DOESN'T e-mail you your password for your records.

Are you really so concerned about the security of your e-mail that you consider this to be a problem?

[Jill75]

I also know that this is a standard to keep you informed of your username and password in which you registered. For some, the link to verify you account is also sent in the email to confirm if that is you email also and if you registered using that email add. No big deal with that one and others knowing it unless your email add is hacked.

[RobbieClarken]

Quote:

Originally Posted by HarryT

This is an entirely standard practice - indeed, I struggle to think of any site which DOESN'T e-mail you your password for your records.

Are you really so concerned about the security of your e-mail that you consider this to be a problem?

I disagree. Very few e-commerce sites that I've subscribed to send passwords nowadays. I'm always quite shocked when I see my password in an email and make an effort to permanently delete that email immediately.

It is a security threat for me because I have my GMail on my iGoogle homepage. If I leave my computer unattended, anyone can see when I receive an email that begins:

Quote:

Thank you for registering with BooksOnBoard!
Your new username and password are as follows:

If I hadn't caught the message in time, nosey people might then be tempted to open that email.

I make sure to register on new sites with a temporary password and then change it to one of my standard passwords once I'm sure the site wont be reckless with my account details. I hope BooksOnBoard will change their policy of emailing passwords.

[rcuadro]

Heck, when you forget your password, most sites will simply email it to you at your registered email address...
I am not really worried about it. If you are worried about it simply change it after getting your initial confirmation email

[mjh215]

Quote:

Originally Posted by HarryT

Are you really so concerned about the security of your e-mail that you consider this to be a problem?

It is the transport that lacks security, once it is on your server you could have a very secure host. That is why you should always change any passwords emailed to you.

-MJ

[HarryT]

Quote:

Originally Posted by mjh215

It is the transport that lacks security, once it is on your server you could have a very secure host. That is why you should always change any passwords emailed to you.

-MJ

... and then the site e-mails you the new password .

[mjh215]

Quote:

Originally Posted by HarryT

... and then the site e-mails you the new password .

Is BooksOnBoard or eBooks actually doing that? I had gathered we were only discussing the initial registration. Most sites I've seen send confirmation emails informing that the password has changed but block out the password. Sending it out each time is disturbing.

-MJ

[HarryT]

Not, I don't think they do that - it's just the initial password.

[Over]

Quote:

Originally Posted by epiphany

I disagree. Very few e-commerce sites that I've subscribed to send passwords nowadays. I'm always quite shocked when I see my password in an email and make an effort to permanently delete that email immediately.

It is a security threat for me because I have my GMail on my iGoogle homepage. If I leave my computer unattended, anyone can see when I receive an email that begins:

That's the same as leaving your keys in the car. That's you who is having a risky behaviour. Sure, you can say a thief can brake a window and start the engine easily, but that doesn't stop you from leaving the can in public places, right?

And as pointed, if you forget your password, they have to email it to you anyway.

[RobbieClarken]

Quote:

Originally Posted by Over

That's the same as leaving your keys in the car. That's you who is having a risky behaviour. Sure, you can say a thief can brake a window and start the engine easily, but that doesn't stop you from leaving the can in public places, right?

And as pointed, if you forget your password, they have to email it to you anyway.

You're right that people can alleviate the security risk but people don't for a variety of reasons (for me it would be too much of an inconvenience to log out of GMail all the time or create a separate email account just for sites like BooksOnBoard). That is why most websites don't email you your password. If you forget your password, BooksOnBoard will email you a new one which isn't a problem. The problem is that when you set a password, BooksOnBoard will email it and other people might see that email before you notice it.

It's not a problem for me because I'm careful with this sort of thing. But I think it is a bad policy because there are people who share email accounts and aren't as aware of online security risks.

[RobbieClarken]

Quote:

Originally Posted by HarryT

Not, I don't think they do that - it's just the initial password.

Actually they send out your password every time you change it (I just tested it).

[thibaulthalpern]

Quote:

Originally Posted by rcuadro

Heck, when you forget your password, most sites will simply email it to you at your registered email address...
I am not really worried about it. If you are worried about it simply change it after getting your initial confirmation email

Not in my experience. Most eCommerce sites I've dealt with do not email the password in plain text.

[thibaulthalpern]

Quote:

Originally Posted by mjh215

It is the transport that lacks security, once it is on your server you could have a very secure host. That is why you should always change any passwords emailed to you.

-MJ

Exactly. It's when the email is in transit that that I am fearful of. Email has to go through various servers before actually reaching the final server destination.

[HarryT]

And what dire consequences might result from the interception of your BooksOnBoard password?