

PizzaHut Security Fail - pain_perdu
http://i.imgur.com/bny2h9U.png

======
DigitalSea
What am I seeing done wrong here, where is the "fail"? The practice of sending
a user their password in email has been common place for sometime now. The
password would hopefully be hashed in the database but it's a simple matter of
when registering to trigger an email with the unencrypted password, it doesn't
mean that they're actually storing unencrypted passwords.

As for security issues? i can see why some would be worried sending a plain
text password via email to be insecure (especially if someone were to get
access to your email), but if someone got access to your email account they
could simply do a password reset anyway. And are we forgetting some services
will auto-generate a password for you and send it to you via email, same thing
as what we're seeing here to be honest.

~~~
pain_perdu
You have a fair point that sending me the password after sign-up does not
prove they are actually storing it as plain-text however e-mailing the
password is still considered by some to be a poor practice as explained below
by <http://plaintextoffenders.com>

Here are two issues we have with being mailed a password:

Email is not a safe medium. Man in the middle attacks are easy to pull off
between server. The communication protocol in itself is not encrypted. If
someone were to hack into any mail account, all they need to do is search for
‘password’ and they have all of the user’s passwords. The fact that you send
the initial password in plain text doesn’t mean you store it, but as you can
see from the site, many people use the ‘forgot password’ option on sites and
get their password sent back to them - a clear indication that the password is
stored in plain text (or using reversible encryption, which is pretty much the
same).

All in all - it’s not a safe thing to do and an indicator of low security
standards. We use emailed passwords as proof of that.

also see [http://plaintextoffenders.com/post/7006690494/whats-so-
wrong...](http://plaintextoffenders.com/post/7006690494/whats-so-wrong-about-
sending-a-new-password-in)

