[OWASP-Security101] emailing clear text passwords

Michael Coates michael.coates at owasp.org
Wed Mar 14 00:30:11 UTC 2012


Olivia,

Thanks for signing up.  You've raised some concerns that many have expressed with mailman software.  I've configured the list to not send monthly password reminders and just switched off the welcome email too.  There's a related thread at the following URL that talks about the same mailman issue.

http://mail.python.org/pipermail/mailman-users/2011-November/072457.html


> Hi,
>  
> I just signed up to this list and received my welcome email… which contains not only my password in clear text but also lets me know that the system will continue to send me my password each month in clear text unless I manually switch off the service.

Monthly password reminders were already disabled.  Also disabled the welcome message to nip this other item you pointed out. (thanks!)

>  
> For a forum on application security that seems a little hypocritical.  Now, not only do I have a record of the password that I manually typed in less than 5 minutes earlier (seems unlikely that I will have forgotten it already), but my bosses (who can access to my corporate email if they so desire) and anyone in our IT department with access to our exchange server can also see it – and that’s without anyone doing anything malicious.  

Go ahead and change the password and you should be good. But remember, email is all plain text, so regardless of this password issue these same people can always see the email.


> I understand the requirements of a mailing list differ from an internet banking application but surely good security principles should be adhered to at all times, especially given the number of my friends who I know still use the same password for all their online accounts even after I’ve explained to them 20 times why it’s a bad idea….

Yes, its good to adhere to best security practices at all times.  Understanding the full threat model and risks throughout the system also help prioritize where security improvements should be spent.  For instance, we certainly shouldn't send passwords over email, but as we see from all systems, password resets are often sent over email.  The difference is that these are single use tokens with rapid expiration times, but it still points to the larger issue that it's tough to build a secure communication if we're all over unencrypted email.


-------
Michael Coates | OWASP
michael.coates at owasp.org | @_mwc



On Mar 13, 2012, at 4:36 PM, Olivia Gillies wrote:

> Hi,
>  
> I just signed up to this list and received my welcome email… which contains not only my password in clear text but also lets me know that the system will continue to send me my password each month in clear text unless I manually switch off the service.
>  
> For a forum on application security that seems a little hypocritical.  Now, not only do I have a record of the password that I manually typed in less than 5 minutes earlier (seems unlikely that I will have forgotten it already), but my bosses (who can access to my corporate email if they so desire) and anyone in our IT department with access to our exchange server can also see it – and that’s without anyone doing anything malicious.  
>  
> I understand the requirements of a mailing list differ from an internet banking application but surely good security principles should be adhered to at all times, especially given the number of my friends who I know still use the same password for all their online accounts even after I’ve explained to them 20 times why it’s a bad idea….
>  
> I recently had a discussion with security experts on automated password retrieval who suggested that emailing even random temporary time limited passwords (forcing the user to change password on login) in clear text was a bad idea and that a unique link is better practice.    My argument was that if the email is intercepted then a unique link will provide exactly the same capability for the hijacker as a temporary clear text password and that the real security is in the temporary nature of the provided information (both the password and the time in which you have to use it).   Other options obviously include the use of predefined secret questions but I find sometimes these questions are either too obvious and the answers are available in the public domain or too obscure and you end up with users who forget not only their password but the answers to their secret question(s) too.   I’d be interested to hear what you guys suggest as the best practice for automated password retrieval?
>  
> I find more and more that our security implementations need to strike a balance between risk vs user experience, the most secure options often provide a distinctly unfriendly and/or unintuitive user experience.  
>  
> Cheers,
> Olivia 
> 
> Olivia Gillies 
> Development Team Lead
>  
> Digital Village 
> Level 1, Building 1 
> 85 O'Riordan Street 
> Alexandria NSW 2015
>   
> t	+61 2 9469 5761
> f	+61 2 9469 5778
> e	Olivia.Gillies at traction-digital.com
> w	www.traction-digital.com
> 
> The information transmitted may be confidential, is intended only for the person to which it is addressed, and may not be reviewed, retransmitted, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states otherwise. Traction Digital Pty Ltd does not represent, warrant or guarantee that the communication is free of errors, virus or interference. 
> 
> This email and its contents are the property of Traction Digital Pty Ltd ABN 40 092 342 375
> 
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/security101/attachments/20120313/141b90a2/attachment.html>


More information about the Security101 mailing list