[_] New webapp account email stupidity
Mark Hughes
mhsparks at gmail.com
Wed Nov 1 18:47:22 GMT 2006
On 11/1/06, Andy Davies <dajdavies at gmail.com> wrote:
> On 01/11/06, Mark Hughes <mhsparks at gmail.com> wrote:
> >
> > We send a welcome email for subscribers to our games that contains the
> > username and password. My view has always been that as the login to
> > the games isn't over SSL then that's just as likely to get sniffed as
> > an email.
> >
> > I guess the other concern is your email / computer being compromised.
> > Though if that was the case I imagine you'd have more to worry about
> > than losing a few points from your fantasy football team!
> >
> > I'm open to being convinced otherwise though :-)
>
>
>
> But how many people use different passwords for different online services?
>
> If someone's using the same email address/password combination for a number
> of online services then those who transmit security details in plain text
> become the weakest link in the security chain and once someone sees these
> details they can try them with other services.
>
A valid point. My personal behaviour, is that I have a few passwords I
use for non SSL sites and then choose unique ones for SSL sites which
store financial information etc. but as you say, I'm sure most people
don't.
> Of course there's also the age old problem that many email services which
> ues bog standard pop3 will have a plain text authentication system so the
> username/password can be picked up by anyone sniffing the wire anyway.
>
Yep. I guess the valid argument would be that when authenticating with
a site, all password details should be sent using SSL. I'd estimate
that 99%+ don't and for me this is at least as important a concern as
sending paswords in welcome emails.
>
> There are some utilities around that will generate a unique password for
> each site you visit based on the site's url and a master password -
> http://angel.net/~nic/passwd.html. Keep meaning to give it a go but not got
> around to it yet...
>
That's a neat idea, like you I can see me meaning to give it a go and
then not getting around to it though!
> On 01/11/06, Mark Hughes <mhsparks at gmail.com> wrote:
> >
> > We send a welcome email for subscribers to our games that contains the
> > username and password. My view has always been that as the login to
> > the games isn't over SSL then that's just as likely to get sniffed as
> > an email.
> >
> > I guess the other concern is your email / computer being compromised.
> > Though if that was the case I imagine you'd have more to worry about
> > than losing a few points from your fantasy football team!
> >
> > I'm open to being convinced otherwise though :-)
>
>
>
> But how many people use different passwords for different online services?
>
> If someone's using the same email address/password combination for a number
> of online services then those who transmit security details in plain text
> become the weakest link in the security chain and once someone sees these
> details they can try them with other services.
>
A valid point. My personal behaviour, is that I have a few passwords I
use for non SSL sites and then choose unique ones for SSL sites which
store financial information etc. but as you say, I'm sure most people
don't.
> Of course there's also the age old problem that many email services which
> ues bog standard pop3 will have a plain text authentication system so the
> username/password can be picked up by anyone sniffing the wire anyway.
>
Yep. I guess the valid argument would be that when authenticating with
a site, all password details should be sent using SSL. I'd estimate
that 99%+ don't and for me this is at least as important a concern as
sending paswords in welcome emails.
>
> There are some utilities around that will generate a unique password for
> each site you visit based on the site's url and a master password -
> http://angel.net/~nic/passwd.html. Keep meaning to give it a go but not got
> around to it yet...
>
That's a neat idea, like you I can see me meaning to give it a go and
then not getting around to it though!