Please, ô please, no passwords in my emails
April 5th, 2008 | by Laurent FP |Why are web2.0 services still sending passwords by email?
I stay amazed day in and day out at the number of services that, just after signing up, will send me an email confirmation containing my password. As if you don’t remember what I just entered seconds before.
And as everyone knows, our emails are not considered very secure. Lets see. I have a copy on the server (thanks to gmail its even harder to delete), a copy on my desktop, in my outlook search index, in Windows search index, in Google Desktop index, in my PST backup, in Carbonite, … So my carefully crafted password is already seriously compromised…right from my own computer.
Here is a VERY short and incomplete list of sites/services that send the password in plain text by email.
- Wordpress hosted service and the installable version
- ooVoo
- blinksale
- Roll A Name
- DZone Snippets
- Jira
- Tick
- LaCantine.org
- 110mb
- …
I suspect hundreds more can be added to the list, big and small. I invite you to complete the list by posting a comment below. Try a search on “password” in your email archive.
As mentioned, only one email with your password in it is enough to compromise your data and your identity. So stay clear of using the same password all the time. Change it frequently. If you can, use OpenID instead, or ClickPass. If all fails, resort to the basics and adopt a strong password policy with a different one for each service.
From looking at all those emails received with my password, I decided to look into it a bit more. The first thing that jumps out at you is that they all seem very similar in form, as if taken from the same template. While doing some more digging, sure enough, I found that some of the services listed above are based on Ruby on Rails and must be using the acts_as_authenticated or the restful_authentication plugins. Both plugins contain email templates. Those templates must be easy to use and useful, but they do not make use of the best practice by default and seriously put the new users at risk.
Technology entrepreneur based in Paris, I moved from Montreal late last year and founded 
One Response to “Please, ô please, no passwords in my emails”
By Laurent FP on Apr 12, 2008 | Reply
Just adding to the list of sites sending passwords in their emails: