[_] New webapp account email stupidity
Andy Davies
dajdavies at gmail.com
Wed Nov 1 16:34:36 GMT 2006
On 01/11/06, Mark Hughes <mhsparks at gmail.com> wrote:
>
> On 10/31/06, Tim Beadle <tim.beadle at gmail.com> wrote:
> > They sent me a mail with my email address (used for login) and
> > password displayed next to each other in plain text.
> >
> > I've seen other big name sites do this too. My take on it was that, as
> > email is as secure as a postcard (ie not at all), this was bad form.
> > Am I paranoid, or are these sites clueless?
> >
>
> We send a welcome email for subscribers to our games that contains the
> username and password. My view has always been that as the login to
> the games isn't over SSL then that's just as likely to get sniffed as
> an email.
>
> I guess the other concern is your email / computer being compromised.
> Though if that was the case I imagine you'd have more to worry about
> than losing a few points from your fantasy football team!
>
> I'm open to being convinced otherwise though :-)
But how many people use different passwords for different online services?
If someone's using the same email address/password combination for a number
of online services then those who transmit security details in plain text
become the weakest link in the security chain and once someone sees these
details they can try them with other services.
Of course there's also the age old problem that many email services which
ues bog standard pop3 will have a plain text authentication system so the
username/password can be picked up by anyone sniffing the wire anyway.
There are some utilities around that will generate a unique password for
each site you visit based on the site's url and a master password -
http://angel.net/~nic/passwd.html. Keep meaning to give it a go but not got
around to it yet...
Andy
>
> On 10/31/06, Tim Beadle <tim.beadle at gmail.com> wrote:
> > They sent me a mail with my email address (used for login) and
> > password displayed next to each other in plain text.
> >
> > I've seen other big name sites do this too. My take on it was that, as
> > email is as secure as a postcard (ie not at all), this was bad form.
> > Am I paranoid, or are these sites clueless?
> >
>
> We send a welcome email for subscribers to our games that contains the
> username and password. My view has always been that as the login to
> the games isn't over SSL then that's just as likely to get sniffed as
> an email.
>
> I guess the other concern is your email / computer being compromised.
> Though if that was the case I imagine you'd have more to worry about
> than losing a few points from your fantasy football team!
>
> I'm open to being convinced otherwise though :-)
But how many people use different passwords for different online services?
If someone's using the same email address/password combination for a number
of online services then those who transmit security details in plain text
become the weakest link in the security chain and once someone sees these
details they can try them with other services.
Of course there's also the age old problem that many email services which
ues bog standard pop3 will have a plain text authentication system so the
username/password can be picked up by anyone sniffing the wire anyway.
There are some utilities around that will generate a unique password for
each site you visit based on the site's url and a master password -
http://angel.net/~nic/passwd.html. Keep meaning to give it a go but not got
around to it yet...
Andy