« previous next »
Pages: [1]   Go Down

Author Topic: Spyware registration issue; asks for password, then mails it in clear text  (Read 1426 times)

0 Members and 1 Guest are viewing this topic.

Offline drwiremore

  • Bronze Member
  • Posts: 2
  • Defending the weak and the innocents.
Spyware registration issue; asks for password, then mails it in clear text
« on: March 08, 2009, 09:35:22 AM »
Here is my first impression, brand new registrant; 24 years security experience:

Good: Having logged in, registered, met their minimum password length, step 2 receive an email that asks for verification/confirmation (normal)

Terrible: The email includes, in plain text, my username and “my password, although offering to allow me to change it. <very bad practice> (why prompt for an initial password at all?)

For a web site of security professionals, offering security/malware support, they just violated the basic principles of privacy and contributed to phishing.

Suggest "strongly" that you do NOT email a password to someone that by default, should accept the responsibility of knowing the password that they used to register. 

Free advice: 1) The easiest fix, do NOT send the password with the registration confirmation.

2) If you want to be better, do not ask for an initial password at all; instead YOU generate a radom password as part of the registration confirmation.  Then, "require" the person to change their password upon logon. <best practice>

3) Believing that (2) might be difficult or a significant change to your registration process, take the easy way.  Do not mail someone's password back to them as part of your registration confirmation.  Password should be secure, and if anyone does this the correct way, it should be a community of security experts.

In my humble opinion: (IMHO)
If you/we/I am to be anti-spy/mal/virus advocates, then you/we/I must demonstrate by our actions those same practices.  Fix your registration process, as the registration confirmation email violates basic privacy standards, and subject the registrant to possible phishing along the way.

dr
Logged


dr (24 yrs of making the net a safer place to be)
arpanet, internet, Internet-2, NLR, cloud

When people need help, they go to the geeks;
when the geeks need help, they go to the doctor.

Offline dvk01

  • Microsoft MVP
  • Bronze Member
  • Posts: 57
    • The Hedgehog
Re: Spyware registration issue; asks for password, then mails it in clear text
« Reply #1 on: March 11, 2009, 02:08:35 AM »
You need to set a balance between security and usability

The risk in sending a user a welcome email with their username & log in password is minimal

Experience tells us that a very high proportion of users infected by malware or with a computer problem panic and register for help. This site along with the majority of well run security sites do insist on a reasonably high level password so it is not overly easy to remember

I routinely see in server & form logs, new members having to reset passwords because they forgot what they registered with and didn't write it down

The reset procedure involves sending you a new password in plain text so you can write it down & remember it or tells you to design a new password and you write it down

The moment you write down a password on a bit of paper & stick it on your monitor or save it on the computer it is possible to have it misused

If someone has access to your email address then nothing is safe and all bets are off. Sending a log in password is no more risky than crossing a road in normal circumstances

In the real world as opposed to the theoretical world, balances and compromises have to be made in order to actually do anything

Logged
Pages: [1]   Go Up
« previous next »