A call for the end of plain text passwords

One of the many examples of plain text passwords being transmitted through email.

Nothing strikes fear into our hearts like seeing one of our secret passwords, that we have guarded with our lives (well, maybe not so much), displayed in plain text. Even though you would be hard pressed to find anyone who approves of the practice, we find many websites that greet their new users with an email containing their super-secret password. As you open that email you almost feel betrayed. The password that you have worked so hard to protect is right there in front of your eyes.

Even if there is no significant security risk to transmitting passwords via plain text, it gives users the impression that security is not a top priority for the creators of the site. There is no reason for this practice to still be in existence today. Good password management technology for websites is very prevalent. If you can't build a proper password system for your site, just opt for using OpenID or another similar service.

I propose that all sites should have an automated password reset system that either allows the user to create a new password from an authentication link or through a one-time use password, sent to their email. Plain text passwords should never be displayed or sent through email.

No more excuses. Let's squash this lazy practice once and for all.

[bkkissel]

For any of your readers looking to implement OpenID on their websites, there are good open source libraries at www.openidenabled.com or a free turnkey hosted solution, called RPX Basic, at http://rpxnow.com.

Also, for anyone wanting their own personal OpenID with multi-factor authentication via Microsoft Infocard, SSL Certificate, or CallVerifID phone-based authentication, you can get one for free at www.myopenid.com. This is only one of three certified OpenID providers for Microsoft's HealthVault medical records management services.

[mselbie]

Nice post that highlights the growing need for usable products on the internet and the growing role of OpenID . Longer passwords and crazy challenge questions only confound the user. We also know from lots of research that people prefer pictures to words and from our own research at Vidoop, that the majority of US adults on-line are very frustrated with remembering and organizing passwords. So we developed a visual login using OpenID, that eliminates passwords and yet is effective against the prevalent forms of hacking. The pictures means you have password for any website. Its free, usable, browser agnostic, secure and works on multiple computers. It remembers the passwords so you don't have to. Check out the frisbee catching tortoise video at www.vidoop.com

[zerarch]

It's bad enough with web-based services and email, but try snail mail!

Sprint and a few other utility services have not only sent me my online access password in plaintext on the paper bill, but have also requested that password as an identity verification over the phone.

The risks of identity theft aside (a password on a bill + a cell phone number = phone records, billing information, etc.), the discomfort of seeing what was once a strong password is only compounded by being asked to "verify" it out loud over the phone.