[OWASP-Security101] emailing clear text passwords
olivia.gillies at traction-digital.com
Tue Mar 13 23:36:08 UTC 2012
I just signed up to this list and received my welcome email... which contains not only my password in clear text but also lets me know that the system will continue to send me my password each month in clear text unless I manually switch off the service.
For a forum on application security that seems a little hypocritical. Now, not only do I have a record of the password that I manually typed in less than 5 minutes earlier (seems unlikely that I will have forgotten it already), but my bosses (who can access to my corporate email if they so desire) and anyone in our IT department with access to our exchange server can also see it - and that's without anyone doing anything malicious.
I understand the requirements of a mailing list differ from an internet banking application but surely good security principles should be adhered to at all times, especially given the number of my friends who I know still use the same password for all their online accounts even after I've explained to them 20 times why it's a bad idea....
I recently had a discussion with security experts on automated password retrieval who suggested that emailing even random temporary time limited passwords (forcing the user to change password on login) in clear text was a bad idea and that a unique link is better practice. My argument was that if the email is intercepted then a unique link will provide exactly the same capability for the hijacker as a temporary clear text password and that the real security is in the temporary nature of the provided information (both the password and the time in which you have to use it). Other options obviously include the use of predefined secret questions but I find sometimes these questions are either too obvious and the answers are available in the public domain or too obscure and you end up with users who forget not only their password but the answers to their secret question(s) too. I'd be interested to hear what you guys suggest as the best practice for automated password retrieval?
I find more and more that our security implementations need to strike a balance between risk vs user experience, the most secure options often provide a distinctly unfriendly and/or unintuitive user experience.
[Traction Digital Pty Ltd]
Development Team Lead
Level 1, Building 1
85 O'Riordan Street
Alexandria NSW 2015
t +61 2 9469 5761
f +61 2 9469 5778
e Olivia.Gillies at traction-digital.com<mailto:Olivia.Gillies at traction-digital.com>
The information transmitted may be confidential, is intended only for the person to which it is addressed, and may not be reviewed, retransmitted, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states otherwise. Traction Digital Pty Ltd does not represent, warrant or guarantee that the communication is free of errors, virus or interference.
This email and its contents are the property of Traction Digital Pty Ltd ABN 40 092 342 375
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security101