Password by mail
I always look askance at a letter when I receive my password in the clear as soon as I have registered somewhere. I'm stupid? I forgot it immediately? I wrote it twice the same wrong when registering? I can not poke on the button "Forgot password"?
But superjob.ru site just discouraged me! They sent a useless letter from the series, if you don’t know, then we have such a service, and at the same time in the letter they reminded me of my registration data: E-mail, for the case, if I’m a fool and I don’t know what email address I am reading now and password , in case someone else wants to know him, probably. I politely expressed my opinion on this directly to the manager, whose signature was in the letter. In response, they explained to me that only I should read my mail, and the password was sent, in case I “forgot or lost it”. For my detailed explanations, that it is not necessary to do this, because it is in any case not secure and that the password, I will ask myself, if necessary, I wrote a nonsense at all. In short, the meaning is: “We have the“ I forgot the password ”function, but many either forget or lose their password.” Where is the logic ??? And at the end of the letter an excuse: “We will surely take into account your recommendations when working on improving our service and consider the possibility of making changes.”
I promised them to write this post, I am writing. In fact, I just want to raise this question. Is there someone who thinks that you need to send him his password in the clear, immediately after registration? And who believes that such reminders have the right to exist?
Personally, my opinion: the password to see in clear text never makes any sense. For this and the password field has such properties. Moreover, I believe that it should not even be stored anywhere, it is not necessary in order to verify the correctness of my password during login. And even when requesting a forgotten password, the correct services generate a new password and send it. Come in and put what you need.
I remembered one more thing: besides the fact that the letter contained my password, there was also a link where you can enter the site without a password. Those. too lazy to remember the password? Here he is! Too lazy to enter it? Click on the link!
PS I'm not paranoid. But it seems to me that this is already a bust. I wanted to discuss sending passwords by mail as a phenomenon.
PPS Could not publish in the blog "Information Security". I do not know why. And Habr knows, but does not say: "Some error ... We know ..."
But superjob.ru site just discouraged me! They sent a useless letter from the series, if you don’t know, then we have such a service, and at the same time in the letter they reminded me of my registration data: E-mail, for the case, if I’m a fool and I don’t know what email address I am reading now and password , in case someone else wants to know him, probably. I politely expressed my opinion on this directly to the manager, whose signature was in the letter. In response, they explained to me that only I should read my mail, and the password was sent, in case I “forgot or lost it”. For my detailed explanations, that it is not necessary to do this, because it is in any case not secure and that the password, I will ask myself, if necessary, I wrote a nonsense at all. In short, the meaning is: “We have the“ I forgot the password ”function, but many either forget or lose their password.” Where is the logic ??? And at the end of the letter an excuse: “We will surely take into account your recommendations when working on improving our service and consider the possibility of making changes.”
I promised them to write this post, I am writing. In fact, I just want to raise this question. Is there someone who thinks that you need to send him his password in the clear, immediately after registration? And who believes that such reminders have the right to exist?
Personally, my opinion: the password to see in clear text never makes any sense. For this and the password field has such properties. Moreover, I believe that it should not even be stored anywhere, it is not necessary in order to verify the correctness of my password during login. And even when requesting a forgotten password, the correct services generate a new password and send it. Come in and put what you need.
I remembered one more thing: besides the fact that the letter contained my password, there was also a link where you can enter the site without a password. Those. too lazy to remember the password? Here he is! Too lazy to enter it? Click on the link!
PS I'm not paranoid. But it seems to me that this is already a bust. I wanted to discuss sending passwords by mail as a phenomenon.
PPS Could not publish in the blog "Information Security". I do not know why. And Habr knows, but does not say: "Some error ... We know ..."
')
Source: https://habr.com/ru/post/61535/
All Articles