Monday, May 24, 2010

In plain text...

So I took up a free offer from Snapfish (here it is you cheap skates :P) because, well, who doesn't like a free offer, anyway thats not the point of this post.

The point is the #@$#%! sent me the password in the notification email in plain text!


Now to the average punter probably doesn't give a toss. But then again they probably don't get the implications. Basically it makes easier for the nefarious amongst us to get your password.

Firstly there is the possibility of the password getting intercepted in transit, email is sent unencrypted which makes it easy for someone to filter network traffic and get a hold of your password.

Secondly, in the world of freemail accounts with ever increasing storage limits, there are many users that wouldn't delete the email, even intentionally keeping the email around in case they forget the password. So if there email is ever compromised then the password is as well.

Thirdly, it means that the password can be retrieved from the service should that service ever be compromised. At best the password is stored in some reversible hash format, but in this day and age that doesn't really slow down people for long and at worst it is simply stored in plain text. *shudder*


Finally, your average punter is probably using the same password for 28 different sites and perhaps getting tricky by adding a number to the end for sites that need more "security" (like their internet banking). This means that all those services would then be compromised as well.

So, I'm thinking that there needs to be something done to bring this issue to the attention of the masses and perhaps prompt these sites to change there practices. With that in mind I do have some vague ideas for how to enact this starting with embedding the results here.




As you can see if you tweet with the hashtag #inplaintext the results will show up here. So for now, this will do my curiosity. Hopefully I can expand on it a bit in the future. I'm thinking build a good list of all the sites that do it and name and shame or something.

2 comments:

  1. I used to get really angry about this sort of thing. Now I use KeePass and it just doesn't bug me any more. I am not pained by our dumber brethren.

    ReplyDelete
  2. I've fixed up the offer link, sorry about that guys.

    Also, Foobear it is all well for you and I to use KeePass (although I am unlikely to want to use a password manager that requires me to install stuff on every computer that I use) but my mother will never use it, its hard enough getting her to use a website in the first place.

    ReplyDelete