Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Emailing Passwords? In 2020?

by AnomalousMonk (Bishop)
on Aug 18, 2020 at 01:15 UTC ( #11120863=note: print w/replies, xml ) Need Help??


in reply to Emailing Passwords? In 2020?

... [don't] email me my password via email.

How should your password be emailed to you?


Give a man a fish:  <%-{-{-{-<

Replies are listed 'Best First'.
Re^2: Emailing Passwords? In 2020?
by punklrokk (Scribe) on Aug 18, 2020 at 03:20 UTC
    A password reset link should go out at the bare minimum. The original reason that sites stopped sending passwords out is that an attacker the got control of an email account now potentially has a password that may be reused elsewhere. Things like not allowing the last N passwords as well as complexity requirements are considered par for the course these days.

      I don't think that's the original reason. It's more that email is an insecure medium in general. SMTP, POP3, IMAP, etc don't always use encrypted connections. It's becoming more common to encrypt them for the first hop and last hop, but end users have no control over the security of their message as it travels server-to-server. A man in the middle can easily inspect or even alter the contents of the message.

      Sending passwords by email also has a worrying implication — it means that the site knows what your password is. Passwords should be hashed. A website shouldn't be able to send you your original password because it shouldn't know what your original password even is. Unix got rid of plain text passwords in 1973; this has been a well-known security principle for longer than many of us have been alive so there's really no excuse for still making this mistake.

      (PS: for what it's worth, I don't think AnomalousMonk was disagreeing with you, just pointing out that "email XYZ via email" is a tautology.)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://11120863]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (4)
As of 2020-10-20 00:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My favourite web site is:












    Results (208 votes). Check out past polls.

    Notices?