| Plain Text Password Problems |
Article Index for Plain |
Website Links For Plain |
Information AboutPlain Text Password Problems |
|
THE PLAIN TEXT PASSWORD ISSUE It is a common practice to use only one or two Password s in total. Our hope when registering with a site is that they are sensible, and have done some research on what is good security practice. In practice, however, it's often not the case. A typical scenario is that someone register for a site, and then receive an email back from the site saying: Your username is: freddykruger Your password is: blades There are obvious risks with this. For now, I suggest that we catalogue which websites exhibit this problem, and start documenting how to go about it. HOW WEBSITES CAN AVOID SENDING PLAIN TEXT PASSWORDS Most simply put, there is no need to send a user their own password. A typical, medium security internet service requiring is internet dating, so we can use some of those sites as examples. To avoid sending users their personal, secret password, in an email that everyone can see, there are different approaches taken. A secure approach is to never send any part of a users own password. Instead, if a user forgets their password, they type in their email address, and either a link, or a new, automatically generated password, is sent. An example of a site that uses automatically generated passwords is LikeMynds . Less secure is to only send some of the characters of the password, such that the password can probably be remembered by the user. An example of this is FriendsReunited . Totally unsecure is to send all the login information in every email, as done by Dating Direct . WEBSITES TO BE AWARE OF THAT SEND PLAIN TEXT PASSWORDS
|
|
|