Ask HN: Blatant Security Flaw, Should I do something?
They replied with the email below. To my knowledge if they can tell me my password then that means they store it in plain text. Is this not a terrible security policy? Should I say something or do something about it?
Read HN for a while. First post. Thanks HN!
Note: (I censored with %'s)
Dear Brandon,
Thank you for registering for Pearson Education online products. Save this important email for future reference.
Click any of the links below, and log in with your Login Name and Password. If a link is not provided, you can access the material through one of the other links. Note: resource(s) that you did not register for directly have been provided courtesy of your textbook publisher.
----------------------- LOGIN NAME AND PASSWORD -----------------------
Login Name: kreiselb@%%%%%
Password: %%%%%%%%%
Access Authority: Student
------------------------------------ YOU NOW HAVE ACCESS TO THE FOLLOWING ------------------------------------
Site: MasteringPhysics
Section or Module: MasteringPhysics for Young/Freedman, University Physics with Modern Physics, 13e
2 comments
[ 5.7 ms ] story [ 17.5 ms ] threadWhen you sign up, I know your password and can send it to you in an email. Other than the fact that email is horribly insecure, there is nothing wrong with my having done this. And it tells you nothing about my infrastructure.
However afterwards I will only know your password if I save it. If you click on a forgot your password email and I can send you your password, then I must have stored your password in a recoverable form. That is not good.
I've seen this practice too, but it arises only because inexperienced system administrators don't understand how vulnerable the e-mail system is.
The single exception is an e-mail that says, "Here is the temporary password for your new account -- click the link and change your password at once." This kind of message is only meant to verify that an e-mail address is working and is associated with the applicant, nothing else. And the temporary password expires as soon as the applicant logs on and changes to a password of his own choosing. This limits the security risk inherent in putting a password in an e-mail.
All reasonably secure systems retain passwords only as hashes (secure encryptions of the original passwords), not as plain-text. This is not to say that the hash itself might represent a security vulnerability, because it can be attacked -- only that a plain-text password obviates the need for the attack by giving away the prize.