

Ask HN: Blatant Security Flaw, Should I do something? - kreiselb

I recently had to sign up with Pearson Education for  my University Physics class online homework. (I am an undergrad student)<p>They replied with the email below. To my knowledge if they can tell me my password then that means they store it in plain text. Is this not a terrible security policy? Should I say something or do something about it?<p>Read HN for a while. First post. Thanks HN!<p>Note: (I censored with %'s)<p>Dear Brandon,<p>Thank you for registering for Pearson Education online products. Save this important email for future reference.<p>Click any of the links below, and log in with your Login Name and Password. 
If a link is not provided, you can access the material through one of the other links.
Note: resource(s) that you did not register for directly have been provided courtesy of your textbook publisher.<p>-----------------------
LOGIN NAME AND PASSWORD
-----------------------<p>Login Name:        kreiselb@%%%%%<p>Password:          %%%%%%%%%<p>Access Authority:  Student<p>------------------------------------ 
YOU NOW HAVE ACCESS TO THE FOLLOWING 
------------------------------------<p>Site:               MasteringPhysics<p>Section or Module:  MasteringPhysics for Young/Freedman, University Physics with Modern Physics, 13e
======
btilly
You're confused about the difference between signup emails and "forgot your
password" emails.

When you sign up, I know your password and can send it to you in an email.
Other than the fact that email is horribly insecure, there is nothing wrong
with my having done this. And it tells you nothing about my infrastructure.

However afterwards I will only know your password if I save it. If you click
on a forgot your password email and I can send you your password, then I must
have stored your password in a recoverable form. That is not good.

------
lutusp
All other issues aside, because of how insecure the e-mail protocol is, with
one exception described below, including passwords in e-mails is very bad
practice.

I've seen this practice too, but it arises only because inexperienced system
administrators don't understand how vulnerable the e-mail system is.

The single exception is an e-mail that says, "Here is the temporary password
for your new account -- click the link and change your password at once." This
kind of message is only meant to verify that an e-mail address is working and
is associated with the applicant, nothing else. And the temporary password
expires as soon as the applicant logs on and changes to a password of his own
choosing. This limits the security risk inherent in putting a password in an
e-mail.

All reasonably secure systems retain passwords only as hashes (secure
encryptions of the original passwords), not as plain-text. This is not to say
that the hash itself might represent a security vulnerability, because it can
be attacked -- only that a plain-text password obviates the need for the
attack by giving away the prize.

