ddddddzzzz-deactivated20120404 asked: What's so wrong about sending a new password in plaintext? It doesn't mean that the password is saved in plaintext...

This is a good question we’re asked a lot.

Here are two issues we have with being mailed a password:

  1. Email is not a safe medium. Man in the middle attacks are easy to pull off between server. The communication protocol in itself is not encrypted.
  2. If someone were to hack into any mail account, all they need to do is search for ‘password’ and they have all of the user’s passwords. (Editor’s Note: you don’t have to have someone hack your account - just imagine how many people forget their email accounts logged in on public computers)

The fact that you send the initial password in plain text doesn’t mean you store it, but as you can see from the site, many people use the ‘forgot password’ option on sites and get their password sent back to them - a clear indication that the password is stored in plain text (or using reversible encryption, which is pretty much the same).

All in all - it’s not a safe thing to do and an indicator of low security standards. We use emailed passwords as proof of that.


  1. plaintextoffenders posted this
Short URL for this post:
blog comments powered by Disqus