Signup Email Security Holes


Here’s the scenario: I visit a sparkly new website and create an account. Later I find a welcome email in my box with confirmation of my new account. I don’t really need that but thanks anyway. The unforgivable part is when that email includes my username and password in plain text. Do you think I forgot my password in the 5 minutes it took for the email to arrive? Who thinks this is a good idea? Besides the fax that SMTP is sent in plain text, all of my email is archived in multiple places (online webmail, locally in Outlook PST files, and in my desktop search index.)

It’s fine with me if a user wants to be loose with their passwords and write them on Post-It notes, but please don’t do it for us automatically!


Comments (1)

  1. Peter Piotti says:

    When I worked for the Army (2000-2002), Confidential and Secret information could be sent in plain text in email.  Only Top Secret information was prohibited from email.  Their (poor) rationale was that the information was only exposed for an instant and lost in the clutter of all of the data moving across he internet at that point in time.  Many decision makers do not recognize the security risks associated with email.