• On CHOW: Sexy vampire party
November 28, 2008 4:27 PM PST

A call for the end of plain text passwords

by Harrison Hoffman

One of the many examples of plain text passwords being transmitted through email.

Nothing strikes fear into our hearts like seeing one of our secret passwords, that we have guarded with our lives (well, maybe not so much), displayed in plain text. Even though you would be hard pressed to find anyone who approves of the practice, we find many websites that greet their new users with an email containing their super-secret password. As you open that email you almost feel betrayed. The password that you have worked so hard to protect is right there in front of your eyes.

Even if there is no significant security risk to transmitting passwords via plain text, it gives users the impression that security is not a top priority for the creators of the site. There is no reason for this practice to still be in existence today. Good password management technology for websites is very prevalent. If you can't build a proper password system for your site, just opt for using OpenID or another similar service.

I propose that all sites should have an automated password reset system that either allows the user to create a new password from an authentication link or through a one-time use password, sent to their email. Plain text passwords should never be displayed or sent through email.

No more excuses. Let's squash this lazy practice once and for all.

Harrison Hoffman is a tech enthusiast and co-founder of LiveSide.net, a blog about Windows Live. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Opinion

Tags:

Internet Security,

Passwords,

Email

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Web Services Report
Microsoft releases SDK for Facebook
Twitter begins testing new tweet notifications
Hulu adds episode release schedule
Foo Fighters playing live concert on Facebook
Pandora now shares with Facebook, Twitter
Glue adds game dynamic, suggestion stream, profiles
Google Maps' appearance takes new direction
SF's BART rewards Foursquare check-ins
Related
Fake Facebook e-mail contains Trojan
Hacked Web mail accounts used to send spam
Sidekick users share their horror stories
Hacker breaks into jailbroken iPhones, asks for $7
Personal services get business flavor: Xobni and SugarSync
RoboForm password manager for iPhone faces hurdles
Bank Trojan botnet targets Facebook users
MobileMe: Syncing keychains asks for a password to a different computer
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
by bkkissel November 29, 2008 8:15 AM PST
For any of your readers looking to implement OpenID on their websites, there are good open source libraries at www.openidenabled.com or a free turnkey hosted solution, called RPX Basic, at http://rpxnow.com.

Also, for anyone wanting their own personal OpenID with multi-factor authentication via Microsoft Infocard, SSL Certificate, or CallVerifID phone-based authentication, you can get one for free at www.myopenid.com. This is only one of three certified OpenID providers for Microsoft's HealthVault medical records management services.
Reply to this comment
by mselbie December 1, 2008 3:14 PM PST
Nice post that highlights the growing need for usable products on the internet and the growing role of OpenID . Longer passwords and crazy challenge questions only confound the user. We also know from lots of research that people prefer pictures to words and from our own research at Vidoop, that the majority of US adults on-line are very frustrated with remembering and organizing passwords. So we developed a visual login using OpenID, that eliminates passwords and yet is effective against the prevalent forms of hacking. The pictures means you have password for any website. Its free, usable, browser agnostic, secure and works on multiple computers. It remembers the passwords so you don't have to. Check out the frisbee catching tortoise video at www.vidoop.com
Reply to this comment
by zerarch January 7, 2009 7:53 AM PST
It's bad enough with web-based services and email, but try snail mail!

Sprint and a few other utility services have not only sent me my online access password in plaintext on the paper bill, but have also requested that password as an identity verification over the phone.

The risks of identity theft aside (a password on a bill + a cell phone number = phone records, billing information, etc.), the discomfort of seeing what was once a strong password is only compounded by being asked to "verify" it out loud over the phone.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

advertisement

About The Web Services Report

Harrison Hoffman is a tech enthusiast and co-founder of LiveSide.net, a blog about Windows Live. The Web Services Report covers news, opinions, and analysis on Web-based software from Microsoft, Google, Yahoo, and countless other companies in this rapidly expanding space. Hoffman currently attends the University of Miami, where he studies business and computer science.

Send Harrison an e-mail.
Follow Harrison on Twitter.
He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure

Add this feed to your online news reader

The Web Services Report topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET