Is it a bad idea for an information holder to e-mail a user their password?

Question

A couple of websites with which I'm registered have, after a period of inactivity on my part, each sent me an e-mail to remind me that I'm still registered. In each case, that e-mail has included my password.

Is this a bad idea?

My thoughts are that, yes, it is, on the grounds that:

If they are able to send me my password, does that imply that they're storing it unencrypted?
Given that e-mails like these were sent specifically due to my inactivity, it's possible that I no longer use that e-mail account, which means that it could have been compromised since I last used it.
Users frequently use the same passwords across multiple site. If e-mail is inherently insecure, revealing a password from one site in this way potentially compromises the user's accounts on other sites.

Related: http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html — Steve Melnikoff, Aug 19 '12 at 16:42
Also related: http://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure — Steve Melnikoff, Feb 22 '13 at 16:02
At a previous employer, we had to take an online internet security course every year. The reminder to log in and take the course came in an unencrypted email and included both the user name and password in plain text. — Brian, Jan 29 '15 at 20:36

score 30 · Accepted Answer · answered Jul 03 '11 at 17:25

30

They are either storing it in plain text (likely) or they are using a reversible encryption. So in case of a compromise the password is at risk.
Yes, and it is even worse: Some email providers such as Hotmail delete inactive email accounts and allow other people to register it. The upper management of Twitter was successfully attacked by re-registering an old Hotmail account.
Yes, correct. A reused password, that was revealed in one of those mails, played an important role in the mentioned twitter attack.

answered Jul 03 '11 at 17:25

Hendrik Brummermann

27,118
6
79
121

Why do you think it is likely that the password is stored unencrypted? Because they are using poor security practices? Nice reference to an actual attack based on the OPs concern. – this.josh Jul 04 '11 at 04:40
3

Hi @this.josh if they care so little about security to email the password to you they are not going to go to the trouble to use reversible encryption, they will just store it plain-text. – Andrew Russell Jul 04 '11 at 11:54
It's too bad the concept of "finger" has gone by the wayside, since it would have been useful to have a means via which email providers could supply information about addresses including registration date. Not all providers would want to supply information, nor would anything prevent suppliers from presenting false information, but the risk of allowing email addresses to get recycled could be reduced if things like password-reset services could refuse to send emails that were registered after the account was created. – supercat Jul 08 '18 at 16:24

score 5 · Answer 2 · answered Jul 03 '11 at 18:24

5

Hendrik has provided a great set of problems. In addition, even if the service operators use SMTP with TLS to submit the mail from their reminder-bot's MUA to their local MTA, they then have no guarantee and no way of knowing whether the content remains encrypted all the way to your MDA and MUA. In other words: they could be showing anyone your password, even if you receive the mail correctly.

[As an aside, mailman is a high-profile mailing list manager that still follows this dangerous process. And guess what mailing list manager is used on the OWASP mailing lists? :-(]

answered Jul 03 '11 at 18:24

[Hendrik tries hard to stop giggling...] – Hendrik Brummermann Jul 03 '11 at 19:50
additionally... The senders are sending security critical information in response to a non-security event. They are trading security risk for business risk (loosing users). – this.josh Jul 04 '11 at 04:44

score -1 · Answer 3 · answered Aug 14 '14 at 13:36

In the abstract, of course it's a bad idea, for all the other valid reasons (e.g. "storing it in plaintext", "interception", "account hijacking and replay", etc.) that other respondents have stated.

The issue that I'd like to raise, however -- as is nearly always the case with IT security-related questions like this -- is, "compared to 'what'?" If an alternate method, less vulnerable to interception (preferably, out-of-band, e.g. ".zip your password into an encrypted archive, send it to you via e-mail and then call you by voice and dictate the password to you") method is available, then obviously that should be used.

But what if no such alternate channel is available, or is practical?

I can make a case that if the password that an end-user is likely to pick is "password" or "123456", that is inherently far more vulnerable than having a complex password e-mailed to that user, with instructions to use it only for a limited time and then change it to something equally complex (or to store it in a password manager like KeePass, LastPass or Password Safe, and then delete the plaintext version)?

Unless your name is "Snowden" or "Assange", the relative chance that all your communications will be constantly monitored -- and therefore you are at risk of having the TCP/IP data-stream intercepted and thereby having your password intercepted -- is actually very low. Whereas, the risk that a weak password will eventually be hacked, is quite high.

So it all comes down to a situation of risk analysis. If you are in a high-threat environment (for example you are a bank, and you need to communicate account credentials to high-income customers), then, yes, ANY form of password communications that can be intercepted, is likely not appropriate. If, on the other hand, you are running the Peoria, Ohio, Ladies' Auxilliary Floral Arrangement Society on-line discussion forum, and you need to give members password-protected access to the "Post Your Latest Flower Power Combinations" forum, then the consequences of a successful password interception and subsequent on-line attack, are likely to be much less, and perhaps a greater level of risk in communicating the credentials, can be accepted.

The site should never send the password over an insecure like in the first place. If needs be, it should present a OTP to allow the user to login and change the password only at the request of the user, and expire it after use or a short amount of time. The password should be hashed, not encrypted, so that it's not possible to reverse it and work out the password. Getting the password to your "floral arrangement society" may be useful if it's the same password you use at say, the bank. — Chris Murray, Aug 14 '14 at 14:07

score -4 · Answer 4 · answered Aug 14 '14 at 13:17

-4

Yes, Mailing the passwords can make it liable for a steal. But on the other hand, It can also be helpful to the account owners in case they have forgotten about that site, provided the communication occurs using proper encryption.

answered Aug 14 '14 at 13:17

Rohan Chaubey

1
2

4

It's not possible to ensure constant transport encryption for mail, so this is never a good idea. – Chris Murray Aug 14 '14 at 14:08
3

If a user has 'forgotten' about the site, then offer a password reset option. Doing so means that you do not have to store the user's password in a way that breaks standard password protocols. – schroeder Aug 14 '14 at 16:59

Is it a bad idea for an information holder to e-mail a user their password?

4 Answers4

Linked

Related