I've just registered with a professional organisation and received, in clear, my user details, including the password they generated for me. Along with the text:
"To maintain this security, you cannot change your password and we have no means of retrieving lost passwords."
@ColinTheMathmo 23years in the industry, the only time I've seen something like that was around a decade ago at a British supermarket delivery service although you could change your password.
Slightly more recently (8 years?) a British ISP could send plain text password reminders.
In Oz (because I signed up recently) the supermarket websites have a password reset workflow for the users to choose their own password. I point out a supermarket as they aren't an infosec company.
Telling you what your (temporary) password is isn't terrible as long as you can change it. Not being able to change it is frankly awful security.
@ColinTheMathmo That is terrible!! I'm not a cyber security professional but Article 32 of GDPR states that when processing personal data, appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risk, including the use of encryption where appropriate. It also states that the encryption solution used should meet current standards. Refer to this for more details: https://eur-lex.europa.eu/eli/reg/2016/679
Please, if you're a computer security professional, reply in this thread so I can subsequently point them to it. I need to have people with real experience detailing just how bad this is ... there's no way they'd listen to me.
And if you're comfortable doing so, please boost for reach.
I do cybersecurity consulting for electrical power generating plants.
I’ve developed and taught cybersecurity courses at two colleges.
Companies pay me to help design their cybersecurity policies, disaster recovery plans, and incident response plans.
My opinion that you asked for:
Sending passwords in an unencrypted email is only ever acceptable if the user is required to change the password at first login.
@gsuberland Agreed, although my experience with organisations like this is that if you say "Passwords should be stored encrypted with XXX or YYY" then they'll focus on that, say that they do it, and ignore all the other horrendous breaches.
@gsuberland instead of a password change workflow, we have an employee change workflow. In order to change your password, we have to wipe out your vacation time and set you back to starting pay.
@ColinTheMathmo@futzle as someone who works in a software company that deals with insurance companies and is very conscious of security risks, that is completely unacceptable. We have a policy of never sending passwords in email, and require users to set up their own password at the first time they try to login. Our reset password option sends a link to the email of the registered user that requires their username to be entered to change their password…
@ColinTheMathmo Ugh, computer security / identity management professional (emeritus) here, and this is pretty much the opposite of best practice. They get marks for verifying your email address, a step many sites fail to do, but any autogenerated password sent in the clear during account creation or password recovery should be changed on first use and should expire if not used in a timely fashion.
@ColinTheMathmo I am a lecturer in the CS Department in Oxford, with a lot of experience in various projects involving security, passwords, etc. The described practice is very, very bad.
Chances are that many many login credentials issued this way are already available on the internet, for sale, or just for "fun".
@ColinTheMathmo@futzle the number one way that organizations fall to cyberattack is having one low level employee compromised, and then strip mining that persons inbox for every password they have ever sent or received by email and using these for further attacks. Never. Email. Passwords.
@C4th0de They're a professional organisation, and I have neither formal qualifications nor track-record in security. They will be accustomed to cranks, so a letter telling them they've got their security wrong will be ignored.
Unless it comes from someone they know, with a track-record, and qualifications, and quoting lots of stuff.
They need to be hit with a hammer. In their world, I'm a nothing.
I will be trying to find an individual in the org who knows me ... we'll see what happens.
@ColinTheMathmo I manage passwords in my school. Even the students' passwords for the computer room's account can be changed by users at any moment. And, of course, users are forced to change the password the first time they login.
@ColinTheMathmo can't give more than saying I hold a Cybersecurity undergrad degree with a SEC+ that was formerly an ISSO (Information Systems Security Officer) that now works as a sysadmin, but it's definitely Security 101 to not send clear text passwords. Especially immutable ones!
Add comment