36
sylar
8y

I hate it when websites send me an email showing my username along with my password!

Comments
  • 2
    yea man fucked up.
  • 2
    why? Email is mostly secure (SMTP-TLS), and if you don't trust your email provider with your passwords, then change.

    Afraid of getting email account hacked? enable 2fa then.
  • 0
    @sebastian Polymail stores my email on their servers
  • 16
    @sebastian the problem isn't that your email is insecure. The problem is the implication of your password being stored unencrypted at the site you signed up with
  • 1
    @sebastian email? Secure? Not even remotely.
  • 2
    @sebastian
    Even if it's encrypted end-to-end with rsa/pgp keys, it's still storing your credentials on someone else's server(s), and the originator still has access to your unencrypted password. This means, at best, they're using a reversible encryption, and at worst (and most likely) they're storing them in clear text.

    Everything about this scenario is very worrying.
  • 3
    Report them to plaintxtoffenders.com? If they can send you your password, it means their system is incredibly insecure! When their system is breeched your password will be available in plain. F*cking basic security! Hash the password with a salt. (I actually don't know how to build that, but that is why I don't build shit like that)
  • 2
    When this happens to me I normally just report them to http://plaintextoffenders.com so they end up on that list.

    Then I'll​ email their support team (if they have one) and advise they maybe plan on rectifying it sometime so they don't show up in the plaintext database.

    I've had a couple success stories where businesses have made the changes made emailed me back thanking me for letting them know that it was a problem.
  • 0
    I shall report them
  • 0
    @Charmgoggles most data bases have support for hashing tables and storing hashed values (salting and etc done for you). MySQL has this not sure What hashing they use maybe SHA
  • 1
  • 0
    @Ashkin @codetinkery Not if they email you the password at signup/change. Eg just after you entered it, but before its hashed and saved in db.
  • 1
    Ahaha I litrually just opened an email with both my username and password in it sent to me xD
  • 2
    @sebastian I find your faith in email disturbing.
Add Comment