Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Passphrase received in plain text e-mail

  1. #11
    Join Date
    Mar 2011
    Beans
    665

    Re: Passphrase received in plain text e-mail

    I would assume that if they have access to your plaintext password it means they aren't hashing it or they're doing something wrong.

  2. #12
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,573
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Passphrase received in plain text e-mail

    As I said before, if the password is stored using a symmetric cipher like AES rather than as a one-way hash like MD5 or SHA1, it can be decrypted and sent to the user.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #13
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by SeijiSensei View Post
    As I said before, if the password is stored using a symmetric cipher like AES rather than as a one-way hash like MD5 or SHA1, it can be decrypted and sent to the user.
    I guess I'm being dim. Are there instances where it's ok to send a user their plaintext password and others where it's not? I get that they need to store it securely. But what about in transit? Plain text unencrypted traffic? If you send it out in plaintext, then it doesn't matter how securely you stored it on your servers. Anyone with wireshark can read the password. It makes no sense to me.

  4. #14
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Passphrase received in plain text e-mail

    For a lot of sites it's the only means they have of getting a new password to the user, and they do tend to suggest changing it immediately. It does carry risks in the event of interception, and it does sort of push those risks onto the user. I know that if I received a plain text password in an email I'd change it right away.

  5. #15
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by OpSecShellshock View Post
    For a lot of sites it's the only means they have of getting a new password to the user, and they do tend to suggest changing it immediately. It does carry risks in the event of interception, and it does sort of push those risks onto the user. I know that if I received a plain text password in an email I'd change it right away.
    True, except that the default for two (infosec) mailing lists is that they'll email your password once every 6 weeks or so. If it's a bad idea once, then it's a great idea repeatedly, right?...

    Why don't they make you set your password on first login? Or set the password yourself when you sign up for the mailing list. Why email the password at all? I can't understand why a mailing lists full of infosec dorks would find this email method acceptable.

  6. #16
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Passphrase received in plain text e-mail

    Oh, I didn't realize you were talking about infosec lists! No, no, the stuff we come up with is for other people to do, not us.

  7. #17
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Passphrase received in plain text e-mail

    Lol - totally explains it!

  8. #18
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,573
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by Ms. Daisy View Post
    I guess I'm being dim. Are there instances where it's ok to send a user their plaintext password and others where it's not?
    As a general rule, no it doesn't make any sense. I had to write some code for password retrieval a while back. We send them an email with a unique link that takes them back to the site and makes them answer the two security questions they chose at registration. After all of this, I let them change their password.

    This was for a healthcare organization; HIPAA regulations would never let us send a person a password in plain text. Hell, I can't even send the person an email telling her when her next physician's appointment is scheduled. (Nosy boss reads email about employee's appointment, checks to see who the physician is, discovers the employee has cancer, and terminates the employee's contract on some trumped-up grounds or another.) It bugs me when physicians hand out business cards with their email address on them. Obviously they have no clue about why they cannot send patients plain-text emails.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •