

Boycott websites that send you email with your password in clear text - imsaar
http://imsaar.posterous.com/boycott-websites-that-send-you-email-with-you

======
edmccaffrey
> Anybody sending you back your password in clear text is also storing it that
> way in their database

Incredibly ignorant statement. If it's encrypted in a reversible format then
it's not cleartext. If it's being sent in a confirmation email, then it could
even be stored as a one-way hash: password extracted from the form, inserted
into email, hashed and stored (This is what WordPress, for example, does).

A case can be made against both of those procedures, but that is a separate
issue from his statement being ignorant.

~~~
tptacek
If the app can "reverse" the encryption, so can an attacker. The case against
storing passwords this way is pretty strong.

~~~
tedunangst
If the key is embedded in the app and you don't keep the source on the server,
reversing the binary (if the attacker even thinks to steal it) is enough of a
hassle to deter most people. And maybe the attack only allowed them to copy
the database.

It's not foolproof, but for stupid free websites (that's what we're talking
about right?), storing encrypted passwords isn't an automatic gimme for the
attacker.

~~~
tptacek
It's a pernicious myth that passwords on "free" websites don't matter, because
no money is changing hands. Most people use the same password for random apps
as they do for their email account.

I don't even want to get into the rat-trap of "what kinds" of attackers are
stopped by reversably encrypted passwords. There's no kind of attacker that
can reverse a properly hashed password, and so that's what you should use.

------
vaksel
The key is to just use a different password on every site by employing a
special password structure.

For example, for HN, you can use:

orycPASSWORDy

[2 last letters][2 first letters][master password][1 first letter]

Good idea to mix and match numbers in the master password for added security.
So for HN it can be: orycpassword1y

The good thing is that you only need to remember a single password for all
your sites, yet they are all different. And if you ever forget a password, you
can figure out what it was by simply looking at the url.

~~~
imajes
at this point there's no real reason not to use a random password generator
for _every_ site. There are plenty of apps out there for auto login, and / or
most browsers will do this for you. Yes, there's some pain syncing with mobile
devices but this will go away at some point (modified oauth to validate
devices?).

Password schemes like this are still inherently breakable; as soon as someone
gets your key password then the rest is trivial to figure out - so why bother
with the complication?

~~~
vaksel
until your computer crashes and you find yourself locked out of every site on
the internet. No thank you.

\+ what do you do when you aren't using your own computer. Want to check your
email at work? Nope sorry, gotta provide the 25 digit randomly generated
password.

Nothing is unbreakable, if someone wants your password they'll get it. For the
password generator case they can just break into your house and steal your
computer. Or organize a group of mercenaries to take hostages at AT&T to gain
access to your packets....hey we are talking about a nemesis right?

And here is an added bonus...how do you know that random password generator
app isn't sending all your passwords to a master file? Whoa, did I just blow
your mind?

Different passwords is all you need for protection. That way if the company
loses your username/passwords, the bots that will be using that information to
check the passwords on other sites, won't get a hit.

~~~
imajes
So, you made all kinds of awesome points that I went thru before i switched to
random passwords...

a. (on not having access to your passwords). iPhone with them helps. (yes, i
have to unlock that db with my hashing password). But in reality, I prefer
that I can't get access to my email/facebook/whatever without having my
machine. If i'm at work, I should be working... but it's the same machine
anyhow ;)

b. true about stealing my machine. But again, my passwords are locked by my
one key control password (which i don't easily remember either... yay for
muscle memory ;)). Yes, it's a SPoF.

c. I clarified with Little Snitch. I don't really care that much. Because
you're right: if one company screws you over and unveils your passwords, then
having a scenario where people could then log into your email or bank means
end of identity and a life of credit hell.

I just think that having a predictable password scheme is about the same as
having _the same_ password. If it's easy to guess, then you may as well have
the same. IMHO, the only way to guarantee against any problems if one of your
passwords is exposed is to go random. :)

------
tdedecko
I don't think a boycott is the best way to proceed with this problem. For
starters, I don't think you will get enough publicity to bring a boycott to
critical mass. Secondly, I think it would be more useful and effective to send
an email to the perpetrating website, inquiring or complaining about their
password storage techniques. When customers/users complain, a good business
will respond and attempt to resolve the problem.

~~~
imsaar
I agree with you. I have written to such website before but it is just more
one thing to do and follow up on. I was thinking if I start collecting all of
them together I can do some kind of bulk action one day. This blog entry is
just the starting point and is no means the last action on this.

Boycott might be too strong of a word. I just want to bring attention to this
point that the user community care about security and this is not a good
practice.

------
swolchok
I posted a similar screed about iPhone/Twitter apps that send passwords in the
clear or with broken encryption a few days ago:
<http://scott.wolchok.org/plaintext.html> (HN post at
<http://news.ycombinator.com/item?id=877460>)

Not sure what is difference that made people care about this but not that, but
open to enlightenment.

~~~
imsaar
May be it was my 'incredibly ignorant statement' :-) May be it was the title
of the post.

Your post looks pretty relevant, related and good. I have voted it up if that
helps.

------
imsaar
I am glad I am not the only one who feel sending passwords email is a bad
thing:

[http://www.techconsumer.com/2008/02/11/bad-form-companies-
st...](http://www.techconsumer.com/2008/02/11/bad-form-companies-still-
sending-my-passwords-via-email/)

Thank you tomfakes for the comment.

------
jacquesm
So, you're telling me I should boycott the tax office here ?

That'll go down real well with them. I think I'll skip this one.

------
imsaar
At least record your protest or change your password to something not related
to your real secret password.

------
fjabre
Ummm. Google Apps does this.

~~~
imsaar
I think Google Apps does this when you are setting up a new user account for
other user. Sending that is different as in they need the password to access
their account for the first time.

Although there are better ways to setup an account and may be gogle app should
force the user to change their password on their first login but this is not
the same as me setting up my own account and getting an email with my own
password I just typed twice to register.

~~~
imajes
I think they also prompt new users to reset their password on first login
too...

