0

I recently signed up for a company's product, and promptly received an email confirming my registration, showing both my email address and my password. I'm not a security expert, but that was a huge red flag for me. Performed some google searches, I see nothing good about sending passwords as clear text. This includes a previous security.stackexchange.com post asking a similar question, however, it was asked quite a few years ago, so I don't know if something has changed with security.

Password sent in email as clear text

I was about to send them an email nearly scolding them and asking for an explanation as to why they are emailing passwords, but remembered seeing that emails are TLS encrypted. So I double checked the email in gmail, and sure enough, it is TLS encrypted.

Reading into Tesco's hack, I'm understanding that there is still a problem with the fact that the company knows what the password is to begin with. Based on what I'm reading, passwords should be salted AND hashed, and the company should never know what the password is.

Before I send this email, am I right? Is there a point in time where a company will know the password, securely send the password to an email address, and salt/hash the password, being none the wiser? Or do they deserve this email I'm about to send?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jesse A
  • 3
  • 1
  • Related: https://security.stackexchange.com/questions/7118/what-to-do-about-websites-that-store-plain-text-passwords/ – mti2935 Aug 24 '21 at 01:50
  • *"emails are TLS encrypted"* - emails are __at most__ TLS encrypted between the various hops of delivery (MTA - mail transfer agent) - i.e. there is __no end-to-end encryption between sender and recipient__. Every MTA on the way has the mail in clear text, this includes the last MTA (Google in your case). Google just shows if the connection from the last MTA to Google was encrypted with TLS, which says nothing about the previous hops the mail passed. – Steffen Ullrich Aug 24 '21 at 05:11
  • You might want to publicly shame them on https://plaintextoffenders.com/ and hope that they change policy. – Marcel Aug 24 '21 at 05:30
  • Bad idea that they *can* send you the password. Bad idea that they sent it. We've had multiple questions like this over the years. There's no justification for being able to send or to send your *existing* password. – schroeder Aug 24 '21 at 08:18

1 Answers1

2

There is no reason to send a password in plain text. The password, once entered, should be securely hashed using a suitable password hashing function with strong salt, and the plaintext should be discarded.

The fact that the email is TLS encrypted is irrelevant. The main point of using appropriate password hashing techniques is to prevent disclosure in case the accounts are compromised. Sending a plaintext password means that anyone who gets a copy of that email can trivially compromise the account without being further noticed. Yes, an attacker could try to reset the password if they can read emails, but that might well be discovered. In this case, the attacker can snoop without further notice.

In addition, they probably are not refusing to send that email if the remote server doesn't support TLS encryption, so there are probably a decent number of users for whom they have exposed plaintext passwords to the Internet.

In general, email is a bad mechanism for sending secrets. It may or may not be encrypted, it tends to persist for a long time, and it's generally maintained by people outside of the account owner's control (e.g., ISPs and employers) who may have substandard ethical behavior. If secrets must be sent (e.g., password reset links and one-time passcodes), they should have a limited lifetime, which is not the case here.

In my opinion, the behavior of this company with regard to password handling significantly deviates from appropriate security practices. My guess is that it's not just the password handling, either.

bk2204
  • 7,828
  • 16
  • 15
  • Sadly, this same inappropriate use of email happens far too often. I've even seen it from *Tech* companies. If you have the option, immediately change the password. – user10216038 Aug 24 '21 at 02:54