|By Hurricane Labs||
|November 19, 2012 02:07 PM EST||
E-mailing Passwords – Practice What You Preach
By: Bill Mathews
I have a few pet peeves (okay maybe a lot more than a few) but some of them really do have a basis in reality and aren’t just blind rage. This one falls into the “based in reality” category and really enrages me. Every once in awhile I register for some security training because, well, I’m curious as to what else is out there and because I want to learn things I don’t already know…crazy right?
So I decided to take some online training while I’m on vacation this week (yes I know, not much of a vacation but that’s me). I did some research and decided to register for a course provided by a well-known training vendor (I won’t mention which as I’ve sent this problem to them and they should have some time to respond) and I dutifully registered through their online store and paid for the training. Sounds great, right? Not so fast – they informed me that I would receive a “registration” email which, if one follows modern site design, you would assume there would be a link to verify my email address, etc. So what did I get? That’s right, an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it) but gentle readers, I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration:
1) My password was right there in clear text. I’m not really concerned about it passing through my network unencrypted so much because SSL, despite its flaws, is pretty good at preventing snooping. No, my problem is that clearly they are not encrypting my password at all. Now I suppose they could be encrypting in their database and then decrypting it for the email but… well let’s just say if they were that well thought-out I’m pretty sure they wouldn’t have sent the email with my password in it in the first place.
2) During the registration process I was asked to save my credit card number for convenience while making later purchases. Now there is nothing out of the ordinary about this and I’ve personally never opted to do it, but they’re asking for a lot of trust for a company that clearly doesn’t even encrypt my password. This is both arrogance and bad form – this is how severe breaches start.
3) This is a security training company! They’re supposed to be teaching people not to do stupid things like this, it makes my head hurt. Stop me if you’ve heard this before: “But Enterprise XYZ does it that way, why can’t we?” I hear this all the time and it is sound logic… until XYZ accidentally has a SQL injection. Boom – not only your password but now your credit card numbers are at risk. Security companies must start leading by example and not “do as I say not as I do.”
4) You have to wonder about the quality of the advice/training you’re getting from them if they build their registration/checkout software this way. When I take the course I plan to ask – not just to be a typical security jerk – but rather to point out the obvious problem with passing yourself off as an expert while violating the basic tenets of security. Violations like this should be pointed out and corrected by the offending party.
5) I’ve probably said enough, but according to every SEO article I read I have to have at least five points so here’s my last one. If this company isn’t bothering to encrypt the password, what are the odds that they’re encrypting your stored credit card number? You know, the one that thing that makes it “convenient” for you to checkout later. I just lose all trust in a company when they do things this way and I simply cannot believe they’re handling the credit card numbers properly.
So there you have it – maybe now you understand why things like this make me Hulk out with rage. Happy Thanksgiving everyone and enjoy your online shopping, I know I won’t
- Innodisk | Efficiencies for Cloud Hardware at Cloud Expo New York
- Join Gartner, IBM, + AWS at AppSphere and save $200 when you register in August!
- In 2014 Big Data Investments Will Account for Nearly $30 Billion - Eventually Accounting for $76 Billion by 2020 End
- Global Cloud Security Market Growing at 15.7% CAGR to 2020: Forecast & Analysis in Research Report Available at ReportsnReports.com
- Video: DevOps and Security
- Worldwide Indoor Location Market Growing at 46.0% CAGR to 2019 Says a New Research Report Available at RnRMarketResearch.com
- Flexera Software's InstallAnywhere 2014 Simplifies Multi-Platform Installation for Physical, Virtual and Cloud Environments
- Mobility News Weekly – Week of August 3, 2014
- Searchmetrics Drives Over 200% World-Wide Growth As More Business Leaders Begin To Recognize The Value Of Search
- Mobility News Weekly – Week of August 17, 2014
- Digital Transformation's Impact on Enterprise Mobility and App Design Strategies
- Web Analytics Market by Solution (Search Engine Tracking & Ranking, Heat Map Analytics, Marketing Automation, Behavior Based Targeting) & by Services (Professional Services, Support & Maintenance) - Worldwide Forecasts & Analysis (2014 - 2019)
- Mobile Commerce News Weekly – Week of August 3, 2014
- Red Hat To Present At Internet of @ThingsExpo
- Mobile Cyber Security News Weekly – Week of August 10, 2014
- Where Are RIA Technologies Headed in 2008?
- Dolphin Announces Open API With Over 50 Add-ons Including Dropbox and Wikipedia
- Cloud People: A Who's Who of Cloud Computing
- 21st century Modern Alarm systems continue to play a key role in various institutions and industries
- SEO/SEM Tips & Tricks: How and When Should You Submit Your Website to Google?
- Cloud Expo 2011 East To Attract 10,000 Delegates and 200 Exhibitors
- Tips For Press Releases in Reputation Management from Industry Veteran Brandon Hopkins
- Yahoo! to Keynote 4th Cloud Expo: Accelerating Innovation with Cloud Computing
- Google Version 2.0: Googzilla - The Calculating Predator
- ManageWP Powers Over 100,000 WordPress Sites Within Three Months of Launch
- Ulitzer’s Amazing First 30 Days in Public Beta
- Google's Competitive Advantage: It Leverages "The Power of Free"
- Ulitzer vs. Ning - a Quick Review
- AOL To Enhance Video Search Engine by Adding RSS Feeds
- Confessions of a Ulitzer Addict