Security Liars! Don't Email My Password to Me. WTF? ~ D. Patrick Caldwell on Software Engineering

Monday, January 19, 2009

Security Liars! Don't Email My Password to Me. WTF?

I have 3 levels of security when it comes to my passwords. The first level is the one I use for all of my banking institutions. It is long and complex and I change it relatively frequently. The second is the middle tier password and I use it for websites that I really don't want people getting into like my email. The third is the password I use for all of that crap that I don't really care that much about like facebook and sites with security I feel can't be trusted.

Today, I signed up for a new site. It qualified as a middle tier site with regard to the personal information they'd undoubtedly be storing. It also passed the other tests leaving me relatively certain that they'd be protective over my security. They use HTTPS, they have the VeriSign approved logo, and all appears well and good. I signed up, created a username, and put my middle tier password in the box. I hit submit and about 30 seconds later, my confirmation email appeared in my inbox.

It was the standard confirmation email. Welcome Patrick. We're glad to have you. Keep your username filed away for future reference. Your password is . . . WTF? My password? Why in the name of all things holy and good did they email my password to me? I typed the damned thing in there twice? I obviously knew what it was. What kind of idiots do they have workin' over there?

As my brain flooded with questions, a few important things stood out. If they emailed my password, did they email it before they stored it (not likely) or are they storing it in plain text (likely . . . and stupid)? How am I ever supposed to trust this company with my credit card information if I can't trust them with my password? And why did they even bother going through all of the effort to get an SSL certificate to secure my HTTP post if they were just going to send my damned password out in an email?

As a programmer, I know that there are two potential cases: first, they're too dumb to know any better or second, they're liars. By virtue of the fact that they actually did bother to get an SSL cert, I can only presume that they're just security liars. They know they need to secure the site and I'm sure they believe that they should protect your password, but they obviously aren't. I am very disappointed and I wish I could have my password back before some rogue developer over there decides he (or she) wants to publish the entire password database on the internet.
I really appreciate comments so please feel free to comment on my posts. Whether you agree or disagree, I'd love to hear from you. Also, feel free to link back to your own blog in your comments. You can even subscribe to an RSS feed of the comments on this thread.

© 2008 — , D. Patrick Caldwell, President, Autopilot Consulting, LLC

2 comments:

  1. You are not alone, there is tons of companies that think ssl is secure and that's all they need to do.

    And to email passwords to people, just plain stupid.

    ReplyDelete
  2. Agreed. The only reason to email a password to someone is a to email them a temporary password for resetting their account after having, as best as possible, authenticated their identity.

    ReplyDelete