Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Passphrase received in plain text e-mail

  1. #1
    Join Date
    Nov 2007
    Beans
    331
    Distro
    Ubuntu 12.04 Precise Pangolin

    Question Passphrase received in plain text e-mail

    A couple of organizations I know have web pages that automatically send you an e-mail when you sign up.

    The e-mail includes your username and passphrase in plain text.

    1) Is sending an e-mail with your passphrase like this always a bad policy?

    2) Can I deduce from this that the passphrases stored on their database are not hashed?

    3) Is it a sign that they have poor security?

    4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?

    Thanks for your help!
    Linux-libre ask for it
    Coreboot Free software to replace proprietary BIOS
    Trisquel a fully free GNU/Linux-libre distribution
    Open Source does not mean Free My Spec Earthlings

  2. #2
    Join Date
    Jun 2012
    Beans
    301

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by yeehi View Post
    A couple of organizations I know have web pages that automatically send you an e-mail when you sign up.

    The e-mail includes your username and passphrase in plain text.

    1) Is sending an e-mail with your passphrase like this always a bad policy?

    2) Can I deduce from this that the passphrases stored on their database are not hashed?

    3) Is it a sign that they have poor security?

    4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?

    Thanks for your help!
    it's a rather common practice, in my experience

    i don't worry about it too much as generally you can change your password right after receiving the initial

    done right the initial password should be 1 use only and limited to e.g. 10 minutes

    ~~~~~

    in thinking about hackers it is critical to observe that most hacking is facilitated by the installation of malware, -- which I like to describe as "un-authorized programming" *

    recently there has been a very refreshing trend to the provision of "approved libraries" such as we have for Ubuntu. I like to score this idea with 5 gold stars.

    it is interesting to note that Google/Android is moving in this direction with their mobil app store library. about time, I'd say.

    one other thing that is important and that is not addressed is the Software Inventory Audit. to start, the customer will need a manifest of the software that is supposed to be installed. The list of binaries and the CRC for each would then be obtained from the OEMs and the computer's disk checked against this manifest. the Audit would need to run from a live CD or better yet, automatically as an extension of UEFI.

    if the software approval process has failed at any point the problem should then be detected. there is a real opportunity for Canonical to get a Big Jump on the competition by producing this process.
    ~~~~~
    * using an un-authorized update to your computer software the attacker can modify the behavior of your computer in real-time and this is generally how hackers do their dirty work.

    it is important that the reader notice passwords and 2-factor authentication schems are of no use against these malware based attacks: the attacker uses your credentials while you are logged on to do his work.

    just as though you were trying to drive a car with the steering dis-connected.
    Last edited by mike acker; November 27th, 2012 at 01:24 PM. Reason: typing problems

  3. #3
    offgridguy's Avatar
    offgridguy is offline Grande Half-n-Half Cinnamon Ubuntu
    Join Date
    Jul 2012
    Beans
    Hidden!

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by yeehi View Post
    A couple of organizations I know have web pages that automatically send you an e-mail when you sign up.

    The e-mail includes your username and passphrase in plain text.

    1) Is sending an e-mail with your passphrase like this always a bad policy?

    2) Can I deduce from this that the passphrases stored on their database are not hashed?

    3) Is it a sign that they have poor security?

    4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?

    Thanks for your help!
    I would take it as a sign of poor security.

  4. #4
    Join Date
    Nov 2010
    Beans
    54

    Re: Passphrase received in plain text e-mail

    Well, if you're going to change the passphrase to something else as soon as you get the email that's just about acceptable.

    Unencypted email is like sending a postcard, anyone involved in any stage of its delivery can read it.

    I don't think that you can deduce whether the password is hashed or not from the email you receive. Certainly storing passwords in plaintext is a very poor practice. Storing hashes passwords without using a salt is also not ideal.

  5. #5
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Passphrase received in plain text e-mail

    One way to determine if passwords aren't hashed is to see if there's a list of special characters you aren't allowed to use when choosing your own password. If they tend to function as operational characters in database queries that can be a pretty good indication that they are being passed in the clear.

  6. #6
    Join Date
    Sep 2010
    Beans
    898

    Re: Passphrase received in plain text e-mail

    Quote Originally Posted by yeehi View Post
    4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?
    in my opinion, changing it would be a good idea.

    But using the same pass phrase on multiple, unrelated sites is not a good thing to do.

  7. #7
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Passphrase received in plain text e-mail

    4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?
    Quote Originally Posted by Dave_L View Post
    in my opinion, changing it would be a good idea.

    But using the same pass phrase on multiple, unrelated sites is not a good thing to do.
    +1000
    Why would someone concerned about security use similar passwords anywhere?

  8. #8
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,717
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Passphrase received in plain text e-mail

    Are you talking about sites where you get an email with an initial password upon signing up? I don't have a problem with that practice since it's expected you'll replace the initial password with one of your own the first time you log in. Sending you back a password you created in plain text is a serious security flaw in my mind.

    And the fact that you received the password in plain text is not an indication that it is stored in plain text on the server. I wrote a HIPAA-compliant application where everything the person enters is encrypted with AES256 before being stored in the database. Since it's a symmetric cipher, I could easily decrypt the password and send it to you in plain text even though its encrypted on the server itself.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #9
    Join Date
    Sep 2010
    Beans
    898

    Re: Passphrase received in plain text e-mail

    And the fact that you received the password in plain text is not an indication that it is stored in plain text on the server.
    I agree.

    Discussion forum scripts I've used would email the user name and password (in plain text) upon initial registration and upon a "forgot password" request, even though the password was stored in the database using one-way encryption. At those times, the script momentarily "knows" the plain text password, even though it's subsequently encrypted; the original unencrypted password was not stored anywhere (although in theory it could wind up in server email logs). In the case of a "forgot password" request, a new, random password would be generated, emailed and then encrypted for storage in the database.

  10. #10
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Passphrase received in plain text e-mail

    Honestly I encountered the same thing with a few mailing lists and I thought it was odd. So they're handling the password correctly on their end, they email it to you and then it becomes YOUR responsibility to handle it correctly.

    If it's a freemail account, then it's https, so it's encrypted. But when it's in transit to your email server, it's not encrypted, right?

    It just seems weird and counter-intuitive to send a password in plain text. Ever.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •