E-mailing Passwords – Practice What You Preach
By: Bill Mathews

I have a few pet peeves (okay maybe a lot more than a few) but some of them really do have a basis in reality and aren’t just blind rage. This one falls into the “based in reality” category and really enrages me. Every once in awhile I register for some security training because, well, I’m curious as to what else is out there and because I want to learn things I don’t already know…crazy right?

So I decided to take some online training while I’m on vacation this week (yes I know, not much of a vacation but that’s me). I did some research and decided to register for a course provided by a well-known training vendor (I won’t mention which as I’ve sent this problem to them and they should have some time to respond) and I dutifully registered through their online store and paid for the training. Sounds great, right? Not so fast – they informed me that I would receive a “registration” email which, if one follows modern site design, you would assume there would be a link to verify my email address, etc. So what did I get? That’s right, an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it) but gentle readers, I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration:

1) My password was right there in clear text. I’m not really concerned about it passing through my network unencrypted so much because SSL, despite its flaws, is pretty good at preventing snooping. No, my problem is that clearly they are not encrypting my password at all. Now I suppose they could be encrypting in their database and then decrypting it for the email but… well let’s just say if they were that well thought-out I’m pretty sure they wouldn’t have sent the email with my password in it in the first place.

2) During the registration process I was asked to save my credit card number for convenience while making later purchases. Now there is nothing out of the ordinary about this and I’ve personally never opted to do it, but they’re asking for a lot of trust for a company that clearly doesn’t even encrypt my password. This is both arrogance and bad form – this is how severe breaches start.

3) This is a security training company! They’re supposed to be teaching people not to do stupid things like this, it makes my head hurt. Stop me if you’ve heard this before: “But Enterprise XYZ does it that way, why can’t we?” I hear this all the time and it is sound logic… until XYZ accidentally has a SQL injection. Boom – not only your password but now your credit card numbers are at risk. Security companies must start leading by example and not “do as I say not as I do.”

4) You have to wonder about the quality of the advice/training you’re getting from them if they build their registration/checkout software this way. When I take the course I plan to ask – not just to be a typical security jerk – but rather to point out the obvious problem with passing yourself off as an expert while violating the basic tenets of security. Violations like this should be pointed out and corrected by the offending party.

5) I’ve probably said enough, but according to every SEO article I read I have to have at least five points so here’s my last one. If this company isn’t bothering to encrypt the password, what are the odds that they’re encrypting your stored credit card number? You know, the one that thing that makes it “convenient” for you to checkout later. I just lose all trust in a company when they do things this way and I simply cannot believe they’re handling the credit card numbers properly.

So there you have it – maybe now you understand why things like this make me Hulk out with rage. Happy Thanksgiving everyone and enjoy your online shopping, I know I won’t