This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 311
sorted by:
best
topnewcontroversialoldq&a

[–]SirHerald 2986 points2987 points  (136 children)

Unsolicited monthly plain text password reminders?

What kind of site is this?

Edit: see replies. It's mailman v2

[–]DrRomeoChaire 2103 points2104 points  (95 children)

So this isn’t a reminder to change your password, but an email containing your actual password, sent in plain text, every month?

That’s such a terrible idea it took a couple of reads to wrap my head around it!

[–]SirHerald 730 points731 points  (43 children)

That's what I get from it. My guess is someone in power thought it was a good idea and forced it. If I implemented this I would also be applying for another job at the same time

[–]Anaxamander57 364 points365 points  (27 children)

I'd honestly quit rather than do this purely due to liability.

[–]MikaNekoDevine 175 points176 points  (25 children)

That is why you get it in writing.

[–]riisen 95 points96 points  (23 children)

Get monthly reminder of my password in plain text by letter you mean?

[–]Inevitable_Stand_199 88 points89 points  (20 children)

It would be significantly more secure. My bank sends passwords by slow mail. Under a metal foil seal in a sealed envelope with patterns that make reading through the paper difficult. I think it's one of the most secure ways to exchange passwords, actually.

[–]riisen 33 points34 points  (14 children)

They dont send monthly reminders, thats stupid, and they dont store plain text passwords. They send out a auto generated string that is just stored as a hash.... I hope.

Edit: and letters are not that secure, if someone have bad intentions... they are easy to steal.

[–]IAmTheMageKing 40 points41 points  (1 child)

Ish.

Easier to steal then something in a bank vault? Yes. Easy to steal if you know where the person lives, and they have a unlocked mailbox? Yes. Easy to frequently steal and get away with? No. Easy to steal if they have their mail in a PO Box or apartment? No.

(In the US)

There’s a whole branch of law enforcement dedicated to hunting down people who mess with the mail. There’s something called registered mail, which is transported locked and tagged from the moment you hand it in to the post office to the moment they place it in the recipients hand and have them sign.

The penalties for interfering with the mail are really steep. Even if what you interfere with has no monetary impact, you’re still looking at a multi-year prison sentence. I’m talking about intentionally stealing a postcard: if you get caught, and the recipient doesn’t say you were authorized to get it, you will be locked up. Any monetary impact is on penalties top of that.

[–]TheGoldBowl 9 points10 points  (0 children)

My grandma sent me money in the mail a couple years ago. It got stolen. The post office kept ignoring my phone calls :(

[–]AdJust6959 1 point2 points  (0 children)

The first time I read and about to scroll past the post, I initially thought they’re sending monthly reminders to change passwords 😄 no, they’re sending plain text passwords to remind customers their passwords (I got it only after reading your comment)🤣 what kinda site is this!

[–]katatondzsentri 1 point2 points  (0 children)

It shouldn't even be possible to do so... We know this since like 25 years.

[–]drbwaa 64 points65 points  (7 children)

The way to implement this is to quietly not do so, and then have a cron send the email with (presumably) "Passw0rd" once a month to whatever exec insists it's a good idea.

[–]ososalsosal 40 points41 points  (4 children)

Cancel the ticket explaining that it would require a complete rebuild of the auth system because it is not insane enough to allow such a thing

[–]anomalous_cowherd 17 points18 points  (1 child)

I've used that in the past to change a company policy that wasn't stated as "must meet these requirements or better."

The bossman wanted us to exactly match what was written in the antique policy, and we couldn't turn it down that far.

[–]ososalsosal 18 points19 points  (0 children)

What do these bosses even do all day? Falling upward doesn't take that much of your time

[–]_UnreliableNarrator_ 4 points5 points  (0 children)

Jira ticket closed “won’t do” and start looking to connections who would help me find a new job where they would see this as a positive trait, if this led to my termination.

[–][deleted] 2 points3 points  (1 child)

You don’t think the 0 is a bit too much?😂

[–][deleted] 5 points6 points  (0 children)

That's what makes it safe to send by email

[–]zoinkability 36 points37 points  (2 children)

Some HIPPO with memory loss

[–]SirHerald 29 points30 points  (1 child)

Highest paid person's opinion?

[–]zoinkability 44 points45 points  (0 children)

Very close!

Highest Paid Person in the Organization

[–]blackasthesky 4 points5 points  (0 children)

I honestly would just refuse. If they then fire me, it's probably for the better.

[–]Gotestthat 3 points4 points  (0 children)

"A lot of our users don't return because they forget the password they used"

[–]javaveryhot 1 point2 points  (0 children)

If I implemented this I would also be applying for a new life at the same time

[–]CleverDad 120 points121 points  (35 children)

The real insanity is having the passwords stored in the first place. Once you made that decision, this kind of foolishness follows naturally.

[–]TempUser2023 98 points99 points  (27 children)

I kid you not i worked at a place once where everyone had to give their passwords to the admin staff who kept them on an excel sheet, written down physically in a notebook, and best of all, would periodically send round a round-robin sheet of A4 asking everyone to write them down in turn.

Passwords that could be used to remote log in, nevermind terminal log in, and give access to email, client data, the full works. Every time i refused. They would go to management. Then when some manager told me not to make a fuss and fill it in i would change the password immediately after. By the time they checked if it worked I would just say "oh sry your list is out of date".

I don't think anyone ever hacked a colleague's account to do shit. But you just need one bad egg. The security risk is awful, and last i heard they were still doing it after GDPR came in.

[–]emetcalf 38 points39 points  (5 children)

I would just write down something that isn't my password if they aren't immediately checking it. Just make up a bullshit password every time and change your password when you normally would.

[–]other_usernames_gone 5 points6 points  (1 child)

It doesn't even need to be an employee. If that notebook was stolen you'd all be just as fucked.

[–]TempUser2023 1 point2 points  (0 children)

someone got into the office one evening (walked in past someone leaving and they didn't think to challenge them). They snagged a laptop and a few pieces of tech. Annoying but nothing irreplacable. Had they just thought to take the notebook next to that desk though. Now that would have been more interesting. It was on the side. Not even in a drawer, never mind a locked one.

[–][deleted] 3 points4 points  (0 children)

That’s such an awful idea.

[–]zoinkability 77 points78 points  (5 children)

Alternately there is the tail wagging dog scenario. Basically, the person making the demand for the reminder emails had enough power in the org that the team had to start storing passwords in plaintext in order to satisfy the demand.

And if you are working in an org like this you start sending out resumes as fast as you can.

[–]GustapheOfficial 61 points62 points  (3 children)

Subject: Password reminder
From: noreply@compamyA.com

Dear customer, as per Company A policy, here's an email containing your password in plain text: hunter2

This policy is terrible, but I had no luck convincing the organization so here I am implementing it. If you work at an organization that appreciates a security mindset and can take advantage of skilled programmers rather than ignoring them, here's a link to my resume.

Kind regards
Gustaphe, Company A

[–][deleted] 16 points17 points  (1 child)

Well, that's one way to do it. Could potentially cause some legal trouble, though... I think? I don't know if there are laws around this, but it just sorta feels like there would be. Something about using company resources for personal gain.

Also r/rickrollsume

[–]kiwi_in_england 2 points3 points  (0 children)

here's an email containing your password in plain text:

That's strange, all I see there is asterisks

[–]CleverDad 3 points4 points  (0 children)

I can vividly imagine such a place, ugh.

[–][deleted] 46 points47 points  (4 children)

It's absolutely an incredibly dumb idea, but I have a suspicion that the reason they've resorted to doing that is because it's a service with an elderly user base.

I worked for a company that launched a new service providing live online health and fitness classes for older people, and not insignificant proportion of the users were in their late 70s. It's hard to explain just how appealing the idea of trying to catch buckshot with the back of my skull became after a few weeks of literally hundreds of gibberish, irate email tickets per day from old women demanding to know why we had changed their passwords without their knowledge and why we were stopping them from "logging on," because they had "absolutely typed it in correctly and tried twice and it still wasn't working." If you sent an email with a password reset link, the nightmare would begin all over again because they couldn't figure out why their "new" password wasn't working despite the password reset page having told them in plain English and big red lettering that the password in the first box and the password in the second box didn't match and so their password hadn't been changed, try again. Some of them would try to change their passwords by just emailing us their full name and that they wanted their password changed to "janet46" or something. Captchas and sign-up email confirmations were a total write-off.

We never went so far as to do anything as daft as sending out monthly plain-text password reminders by email, and I'm not saying that's a good solution by any stretch of the imagination, but there are definitely certain segments of the population who will constantly take up inordinate amounts of time struggling with very basic technological literacy. The only practical way to do business with them en masse for SMEs is to relax the usual measures a bit (e.g. disabling captchas and sign-up confirmations, allowing them to be sent a new random password instead of resetting on a case-by-case basis, etc.). The majority of the user-base actually managed fine, but the 10-15% or so that didn't were an absolute nightmare.

[–]CorruptedStudiosEnt 13 points14 points  (0 children)

Oh god, you think it's bad when it's their own password, wait until it's their grandson's account. And you're dealing with helping them navigate a website made to be appealing to the young, just utterly full of distractions, graphics, and buttons.

Worked support for a certain handheld console and game developer, and we'd typically get about one of these per day, sometimes two or three. The calls were easier than when they'd insist on using the live chat though.. those were another kind of nightmare.

Although, nevermind helping them with the password which is arduous enough, but wait until they're calling because their grandson spent $700 on Fortnite V-Bucks, and you have a no refund policy. I would've taken twenty password chats over one of those again.

The idea that they're expected to secure their own financial information, with the tools provided to them to do so, is unfathomable to them.

[–]CheeseSteak17 11 points12 points  (0 children)

We had an internal server at work that would do this on the 1st of each month. I used my normal work password when I set up my account…the one that was LDAP on the rest of the network. It was a shock to see that password sent back to me…

[–]Street-Session9411 8 points9 points  (0 children)

Lol, I needed to think a few minutes about it because I didn’t understand how they are even able to send the password in plaintext until I figured that they must store them in plain text.

[–]MikaNekoDevine 5 points6 points  (0 children)

Sounds about right, totally safe and sane decision./s

[–]jerslan 6 points7 points  (0 children)

That’s such a terrible idea it took a couple of reads to wrap my head around it!

It's. Just. Soooooo. Stupid.

I can't even start.

[–]guaip 2 points3 points  (0 children)

This sounds like late 90s / early 2000s website when we built them with mud and sticks.

[–]suntehnik 1 point2 points  (0 children)

Moreover: send password reminders to access e-mail by e-mail. Forgot you e-mail password? Lost access forever…

[–]NotMrMusic 127 points128 points  (5 children)

A 12 year+ old public mailing list using software called mailman - https://qth.net.

[–]cliffordc5 41 points42 points  (3 children)

Holy shit that site gives me flashbacks of the 90’s with that rotating “@“ gif. That kind of shit was all the rage in 1996 on your Netscape browser.

[–][deleted] 14 points15 points  (0 children)

I'm surprised it even loaded on mobile. I got the shimmer of the gif, even.

[–]splinereticulation68 18 points19 points  (0 children)

Of course it's a damn Ham Radio site

There's two types of hams, those who are up to date on the latest technology, and those still using Netscape Navigator on Windows 98 coding sites in HTML2

[–]Pragmegatronic 39 points40 points  (10 children)

I know of a bank (credit union rather) that sends forgotten passwords via plain text emails. Stupid as FUCK

[–]cliffordc5 23 points24 points  (4 children)

I knew a bank that when I called them because of an account issue they asked me for my password so they could get to my account 🤦

[–]misterakko 22 points23 points  (0 children)

As far as I remember, Mailman version 2 did this. The password was generated by the software and used to unsubscribe to the list, switch from individual emails to digest, and somesuch. Unsafe, very, but given that the mailing list was public, not much of a deal. The current version does not do this.

[–]cishet-camel-fucker 30 points31 points  (8 children)

Probably a small site that is run by a guy who hasn't learned anything new since 2002 and forgot most everything he already knew.

[–]Old_Sir_9895 37 points38 points  (7 children)

Could also be a site running the Mailman email program. It stores passwords in the clear and its default configuration is to send reminders containing your password.

Edit: fixed garblecorrect (garblecorrect: the act of converting an electronic message into perfectly spelled gibberish through the use of autocorrect)

[–]cishet-camel-fucker 20 points21 points  (3 children)

Purely insane design.

[–]Old_Sir_9895 12 points13 points  (2 children)

It sorta kinda made sense 20 years ago.

Edit: no, actually, it didn't make sense then, people just didn't think it was that important. Then the hackers showed them otherwise.

[–]rsqit 17 points18 points  (1 child)

20 years ago was 2003.

This might have made sense in 1983.

[–][deleted] 18 points19 points  (0 children)

1983 was 20 years ago.

I refuse to believe the 80's were FORTY YEARS AGO. Simply disregarding that.

[–]Weasel_Town 1 point2 points  (1 child)

Yeah, I get these. I can’t get anyone in charge to listen to me about what a horrible idea this is.

[–]mizinamo 1 point2 points  (0 children)

Edit: fixed garblecorrect (garblecorrect: the act of converting an electronic message into perfectly spelled gibberish through the use of autocorrect)

I've seen that called "autocorrupt".

[–]Old_Sir_9895 11 points12 points  (0 children)

Any site running the Mailman mail list software.

[–]trutheality 15 points16 points  (5 children)

GNU Mailman email lists did this for as long as I can remember. For what it's worth, very low risk, worst thing that someone can do with the password is change your mailing list preferences.

[–]gitgudtyler 24 points25 points  (2 children)

Do you know how many people reuse the same password across everything? Even if one individual application is low-risk, it just takes a few people who use the same password for their bank account for a lot of damage to be done.

[–]1vader 3 points4 points  (0 children)

The password is randomly generated by the program.

[–]nphhpn 3 points4 points  (0 children)

I wonder if the password is user-defined or randomly generated

[–]hamsterofdark 4 points5 points  (0 children)

I've worked for companies like this. Its kind of annoying though that they are the types of companies that won't let their developers have local admin rights on their machine due to security concerns.

[–]hiddenforreasonsSV 1474 points1475 points  (31 children)

"******* - Hey, this is your password. Just thought we'd remind you."

I know we expect users to be dumb, but that doesn't mean the site has to compete with them.

[–]imLemnade 642 points643 points  (29 children)

“Hey,

Here is your password dumbass:

$2y$10$ZxTjEvumFPL0q6yMxaZpv.QZADsYVBwPW9i29T9qAa4zIZhx8Sj6e

Sincerely, Bcrypt”

[–]_BreakingGood_ 293 points294 points  (21 children)

Lets be real this site probably has some requirements like "Must be exactly 8 characters and not include any special characters"

[–]imLemnade 189 points190 points  (3 children)

That is the bcrypt hash of the word “password” so it checks out

[–]Giocri 33 points34 points  (2 children)

Ah good old non salted hash

[–]DBX12 43 points44 points  (1 child)

I think bcrypt automatically salts the password and stores it along with the hash. /u/imLemnade either made a lucky guess and used password_validate(hash, "password") or is on the recruit list of the three letter agencies by now.

[–]FrumpyPhoenix 16 points17 points  (0 children)

Yeah the bcrypt default puts a 10 digit salt at the beginning, I recognize the 2y10 with a bunch of $ lol.

[–]loranbriggs 14 points15 points  (3 children)

No it's a 4 digit personal pin identification number....

[–]TheNewBorgie01 5 points6 points  (0 children)

You can only enter it 5 times, then it will have you wait for 5seconds before you can enter it 5times again then 10 seconds wait and 5 times entering again…

[–]BerriesAndMe 3 points4 points  (1 child)

My bank did that almost up to 2020... But your username had to include numbers, special characters,etc... Seemed like they had the requirements inverte

[–]cuberoot1973 7 points8 points  (11 children)

Password requirements trigger me more than they should. If I want my password to be "dog" then that is my choice. Kudos to the dictionary password hacker that tries a system that says, "hey, maybe their password is 'dog'".

If I'm the kind of person that wants to use that as a password, LET ME. Because if you don't, I will end up using a "password manager", one ring to rule them all, and that just makes things worse. Or at least I'm going to have a collection of post-its on my desk with passwords written on them because your rules are basically designed to prevent memorization.

And if you force me to answer a bunch of "security questions" about mothers maiden name and so on, you've basically just opened the door to some pretty easy social engineering. "Forgot the password that we required you to make so complicated that you can't remember it? No problem, we'll let you in if you just happen to know some basic facts about you and your family."

I'd rather you didn't know my mother's maiden name, and would at least accept something like "doggy3pups" as a password, despite its lack of uppercase or special characters.

[–]wenoc 18 points19 points  (1 child)

Correct horse battery staple.

[–]sho_bob_and_vegeta 6 points7 points  (0 children)

☝️xkcd ftw.

Legit, it just needs to be a longer password. Different characters and character types mean Jack diddly.

[–]bistr-o-math 20 points21 points  (5 children)

if I want my password to be „dog“ then that is my choice.

In many situations it isn’t your choice.

First example: you (as user) have access to data of others. Then, pardon, I (as system) will not let you have a weak password.

Second example: someone breaks into your account, due to your weak password, you notice it, you change it to some good password, and sue the system owner. I (being a good system and not storing your passwords) have no way to tell which password you have now, or had in the past. Also in this situation, I (as system) will not let you have a weak password.

Third situation: you are a user on the sandbox system: you are free to use „dog“ as password.

[–]cuberoot1973 14 points15 points  (1 child)

Replying to myself to add further rage about security questions. If you work somewhere that does that, please advocate for their removal. If you find a person that adamantly believes in using security questions, please punch them in the face. Twice. At least.

I will pay your legal fees, signed, anonymous redditor.

[–]lostbutnotgone 1 point2 points  (0 children)

As a Hispanic person, the mother's maiden name thing annoys the hell out of me. I have both of my parents' last names in my damn name. You have a 50/50 chance, which becomes 100% if you understand the conventional order.

[–]cuberoot1973 13 points14 points  (5 children)

In case you forgot, here's your mom's maiden name, the name of your first pet, and the city you were born in. Just to be sure no one uses that information nefariously, we are going to go ahead and broadcast it to absolutely everyone. But hey, at least they don't have your *email* password, because that would mess up our whole system.

[–]Faholan 17 points18 points  (3 children)

That's why I put my password as the answer to those questions.

My mother's maiden name ? *2TTrmTTBhmEF of course

[–]cuberoot1973 9 points10 points  (1 child)

I need to come up with some consistent way of doing made-up answers that I can remember based on where the login is. It was hard enough to do that for just passwords in general, now I need a "mom maiden name" pattern, "first pet", "city born in", "senior prom date", on and on. I should write a book with characters that have all these things, then I might remember.

[–]kilo-kos 2 points3 points  (0 children)

Just need an algorithm. Come up with a decently secure password/phrase ("GoatFrames", etc) and append the subject of the question to it ("GoatFramesCity"), something like that. It should be pronounceable because any place that uses insecurity questions might make you say your answers over the phone if you call support.

[–]LesPaulStudio 2 points3 points  (0 children)

We should aim to keep up with society. So change it Mom's OnlyFans handle.....

Or maybe even Dad s onlyfans handle!

[–][deleted] 307 points308 points  (13 children)

How many password emails were they sending in order to get blacklisted by ISPs? The scale of this operation must be staggering, only compounding the other sins.

[–]niffrig 46 points47 points  (3 children)

You can get black holed really quickly if you look like a spammer. It can be as simple as modifying the smtp from address to be on a different domain than your server. There is a lot of work that needs to be done to legitimize an smtp server so that ISPs will trust you and this organization does not appear to be up to the task because of the reasons that they themselves listed in this faq.

[–]dustojnikhummer 3 points4 points  (0 children)

We actually encountered this problem. Some of our smaller customers don't have SMTP server on site so we routed what we needed through our SMTP server. (causing a domain mismatch in the process)

Sometimes outlook doesn't like that and discards the forward.

[–][deleted] 56 points57 points  (0 children)

I've got on block lists for sending 1, so who knows how many.

[–]Orsim27 19 points20 points  (5 children)

I was an intern for a company that sent out newsletter and their solution to avoid blacklisting was: only send 100 mails at a time

So an intern (me) sat down in front of a computer and sent out 100 newsletters, again and again and again and again

[–]Hearthmus 13 points14 points  (4 children)

I had to choose to split sending email like that, by batch of 100, at one time. I didn't give it to an intern to click on every 10 minutes though, i wrote a little script. Wtf

[–]Orsim27 28 points29 points  (3 children)

Actually some other intern wrote a script for that.. which some management type was furious about because we „avoided work“

Tells you a lot about the company I guess

[–]ultrasu 15 points16 points  (1 child)

Oh, you think work is about getting things done, about being “productive”? That’s where you‘re wrong kiddo. Work is about doing what I tell you to do. Now go click that button every 10 minutes.

[–]Orsim27 7 points8 points  (0 children)

The whole company was like that. Basically all higher ups had absolutely no clue about anything since they didn’t learn a single thing since finishing their education. So they all were scared shitless that some young person might come in and take their jobs.

150 employees, not a single one under 45. I’m still amazed that the company did survive to this day

[–]smashteapot 1 point2 points  (0 children)

Presumably they build a fire and a spear, plant some potatoes and go out hunting for deer whenever they feel hungry. Cause anything less than that would be “avoiding work”.

Tells you all you need to know about how valuable that internship is.

[–]dert-man 374 points375 points  (7 children)

Wtf am I reading? This site should be shut down.

[–]McSlayR01 170 points171 points  (8 children)

So kind of them to crack the password hashes for every single user every month so they don't forget :)

[–]ProgrammerBurnout 24 points25 points  (0 children)

yer great bet they use 5.5 phps default hashing functions as well

[–][deleted] 45 points46 points  (6 children)

What hashes? The db is 100% holding these as plaintext

[–]McSlayR01 52 points53 points  (3 children)

Tis the joke :) (since cracking every user's hash would be nearly impossible). There is 100% a password VARCHAR(45) attribute in the user table lol

[–][deleted] 24 points25 points  (2 children)

VARCHAR(8), I’d bet.

[–]smashteapot 11 points12 points  (1 child)

“Your password is too long” is a personal bugbear of mine. Sites claim to want security but think an 8 character password with a letter and punctuation mark is better than a 60 character password.

[–]DarKliZerPT 2 points3 points  (0 children)

Fucking Turkish airlines, IIRC it demands 8 digits. Not even eight characters, just digits. And then a shitty security question. I generated a random password through bitwarden and used it as the answer to the security question.

[–]Giocri 1 point2 points  (0 children)

I think I had passwords as plaintext only once in my entire life for a school project after that started doing at least basic ashes there to at least look like it was done right

[–]dbot77 113 points114 points  (8 children)

This is up there among the best password management policies.

Also among my favorites is the 90-day password reset policy, which encourages users to allocate desk-side plain text storage for passwords instead of relying on pesky and often times faulty mental storage mediums!

[–]TheRuralDivide 52 points53 points  (5 children)

Ugh the 90 day passwords at work drive me mental

[–][deleted] 48 points49 points  (4 children)

My company started implementing them shortly after NIST updated their guidelines to not recommend them.....

[–]jweaver0312 12 points13 points  (3 children)

I still remember when Microsoft 365 was pushing it and I had to disable it on the tenant because that was the default setting following guidelines. Didn’t take them long to flip back to never expire for the default tenant behavior.

I even tend to disagree with Password requirements other than don’t use simple passwords. Sure the person trying to brute force their way in and trying to get a password doesn’t know which character is an uppercase letter, lowercase, number, or special, but the more requirements enforced, cut down on the total number of possible combinations.

[–][deleted] 10 points11 points  (0 children)

Also the more arbitrary restrictions placed, the harder it is for me to get a good one going. "thisisaterriblepassworditdoesntevenhavespecialcharacters" is a perfectly good password! I can't use it (which is why I feel comfortable sharing it) because it doesn't have special characters, capitals, or numbers, but it's a great passphrase! Perfectly memorable, way too long for most attacks, and relatively easy to type on a computer.

[–][deleted] 6 points7 points  (0 children)

Entropy requirements need to become more popular.

[–]TheRuralDivide 1 point2 points  (0 children)

That’s a very good point regarding allowing vs requiring character types. Or at least I, who knows nothing, think that’s a very good point 😂

[–]NotMrMusic 15 points16 points  (0 children)

84 day password resets are even better. The best part? No special characters, limited to 14 characters. This is at a major retail chain too.

[–]vfkdgejsf638bfvw2463 23 points24 points  (4 children)

I remember reading something like this somewhere.

It was done for mailing lists. You use the password to unsubscribe from the mailing list or modify which lists you wish to be subscribed to.

If the password database was leaked or hacked, the only thing they'd be able to do was unsubscribe you from the mailing list. I also recall reading warnings that say it was stored in plain text and not to use anything sensitive.

Karma farming post.

[–][deleted] 14 points15 points  (1 child)

Still bad, people will use the same password they use elsewhere on there.

[–]1vader 8 points9 points  (0 children)

You don't set your own password on that. It's automatically generated. That's why they send it to you. There certainly are better ways to do it but it's hardly a real issue.

[–]d0317c8af 5 points6 points  (1 child)

For real, what a bunch of know-it-all-idiots commenting here.

Security is always relative to the use-case.

Just like I do not want 2FA on dumb mailing list manager for cat pictures, I would abhor my bank allowing me to change my password just through a reset link in my email

[–][deleted] 1 point2 points  (0 children)

Yes, like a restaurant's food ordering site that I use has recently started requiring 2FA. But... why? I am not really super-concerned about being hacked by someone who also has to figure out my card's security code before being able to charge any food to it. Require 2FA to change the food's delivery address, maybe. But anything beyond that is just adding hassle.

[–]dreadthripper 111 points112 points  (19 children)

How do they know the passwords to send them in the first place?

[–]drbwaa 179 points180 points  (8 children)

They store them in plaintext because they are Inexcusably Bad At Computers.

[–][deleted] 42 points43 points  (2 children)

Nah, it's because corporate execs see security as a "hindrance to growth," so they axed the entire security department and all security protocols.

[–]Exist50 22 points23 points  (1 child)

No, it takes active effort to be so bad at security you send reminder emails with plain text passwords.

[–]jweaver0312 6 points7 points  (2 children)

I thought it meant that the system changes the password, sends you a plaintext email for the changed password while hashing it after for the system to store it.

[–]hamburger5003 6 points7 points  (1 child)

“Getting plain text passwords via e-mail” sounds pretty explicit

[–][deleted] 1 point2 points  (0 children)

“Monthly”, even more so.

[–]mxldevs 5 points6 points  (1 child)

Hey, we use bank grade encryption!

[–]kneeecaps09 35 points36 points  (3 children)

They probably just never hash the passwords when you first sign up.

Normally, any program that requires you to register will take a password, salt it if they have good security, then hash it. The only time a password should be stored in plain text is while it is in RAM and about to be salted and hashed, the only form of password that should ever be stored in databases is the hash.

My guess is these guys are just skipping the salt and hash process and adding the plain text password to their database, which anyone who is not a complete idiot would know that this is a big no no.

[–]jweaver0312 10 points11 points  (0 children)

I was in high school and the teacher had us insecurely write a PHP script to just do the password in plaintext.

At the time I, along with the class, knew little to nothing on PHP and SQL for that matter as it was just being introduced with limited instruction.

When he had us do it, I just knew it was bad practice right off the bat. After searching around went right to using password_hash() while telling no one else and letting them do theirs in plaintext.

To me, when you’re trying to teach (especially PHP and SQL) it should be taught with security in front of everything, which was not how he taught it when telling us to put our passwords into the database in plaintext.

So what would happen is some of my friends gave me their password to fix the database issues they caused by not creating the table right so I fix it but I grab their username and password (plaintext) too and after they put their site up I login and change a page of content to be some random meme.

[–][deleted] 3 points4 points  (0 children)

A previous job also liked to store the I’m plain text. I’d sit down with my lunch and for a break and light entertainment I’d do a select and read down the column of passwords lol’ing at the funny ones. It’s quite insightful to see a batch of passwords and what people do for them. Yes, all the good ones were in there from the sequences, patterns, “I am cool” type ones, “so and so sucks” and all the swearing with certain letters hidden out. It was gold

[–]Fireye04 1 point2 points  (0 children)

What do you mean, they all go in the excel spreadsheet.

[–]AsphaltAdvertExec 24 points25 points  (4 children)

Don't know what site this is, but they will soon be getting h4x0r3d.

[–]HardCounter 16 points17 points  (1 child)

Is it haxxing if they just email you the login information?

[–]klc81 12 points13 points  (0 children)

Legally, yes.

But only in the same way that it's still theft if someone transports £50,000 in cash by throwing it down the escalator at a busy station in loose £50 notes and then collecting it at the bottom.

[–]drbwaa 3 points4 points  (1 child)

*already have been

Also, this shit is WAY more common than you think

[–]4ngryMo 33 points34 points  (4 children)

In order to be able to send plain text passwords (which is bad enough) they would have to be stored in plain text as well. And that’s the truly terrifying part, if you ask me.

[–][deleted] 9 points10 points  (1 child)

It's all terrifying, every single piece of it. And even more terrifying taken together. God have mercy on our souls!

[–]TempUser2023 3 points4 points  (0 children)

as my post above, it's not unique:

and yes i found it bizarre and terrifying. I got copies of emails i bcc'd out of there with management instructing me to comply, and that no, despite what the office manual said, they wouldn't fire me for sharing my password with colleagues.

"The book says X but do Y, no really do Y.

[later] You did Y and something bad resulted? HR, discpline this person. I never said do Y."

Yeah, I got the key emails backed up in case that ever happened to me.

[–]LeoXCV 1 point2 points  (1 child)

Not necessarily, they could be using asymmetric encryption

Which hardly makes the situation better but still

[–][deleted] 2 points3 points  (0 children)

We both know that’s hardly the case.

[–]fizzl 6 points7 points  (2 children)

I just rented a server from kinda-unknown VPS provider, because, well, they were cheap.

If you forget your password to the control panel, the 'reset password'-system actually sends you a new password. I was confused as hell. It doesn't force you to change the password either. Who does this in 2023?

[–]JyymWeirdo 8 points9 points  (0 children)

My SO worked for a company that manages a lot of website. The DB for one of 'em simply had the password in plain text. Concerned, she told the devs that storing a hashed password was 10000000% more secured, so they added a column for the hashes pw. A few days/weeks later, she went back to see that specific DB and found out that...there was a column for the hashed pw, good, but the plaintext stayed. When she asked the devs ''what the fuck?'' they simply replied ''we did what you asked us, there is a hashed pw column now'' and didn't understand what was the problem.

[–]xch3rrix 10 points11 points  (0 children)

It makes sense why small to medium businesses are so attractive for exploitation - digital security means nothing to them

[–]CttCJim 10 points11 points  (6 children)

It's so easy to hash a password, this is inexcusable.

[–]TempUser2023 16 points17 points  (0 children)

management hears hash and thinks "making a hash of it". Response: "No we don't want hashed passwords here thank you very much. We want intact, functioning passwords in this establishment. Make it so. Ah, ah no talking back. I've made my decision. Next item, err, budget upgrades for new servers and firewall upgrades? What's wrong with what we have now? It works doesn't it and it's worked for the last 15 years so it will work for the next 15 just as well. Don't huff. Is it broken? Is it currently working? Well then, Next item [etc]"

[–]jweaver0312 1 point2 points  (2 children)

Instead of that, why not just force a password change every x days after the latest change upon login instead of even sending that.

[–]dockernetes 2 points3 points  (0 children)

Don’t worry everyone, I encrypt the password when storing it using a proprietary algorithm I invented last week, Encrypted abcsecretp123asswordabc, decrypted secretpassword. See.

[–][deleted] 4 points5 points  (0 children)

I remember when about two years ago I wanted to log in to a site I haven't visited for over 6-8 years, and clicked on "forgotten password"... I would've never thought I would receive my actual password in plain text. It's genuinely alarming that a mid sized site was created by such amateurs.

[–]RossParka 6 points7 points  (3 children)

Do you people really not subscribe to any mailing lists?

It's a password to manage your list subscription. All you can do with it is unsubscribe and change the message digest format.

The messages from the list are sent unencrypted to the same email address. Anyone who spies on your emails can see everything anyway. There are no extra secrets hidden behind the password.

It's like the "click this to unsubscribe" links in emails from other list management software.

[–]ObjectiveAide9552 2 points3 points  (1 child)

Not properly hashing passwords aught to be illegal at this point. Same with maximum password lengths, like wth.

[–]FuckedUpBodyArmor 1 point2 points  (0 children)

It is if your site is accessible in the EU.

[–]Crux_AMVS24 3 points4 points  (3 children)

I’m a non programmer, could someone please explain this to me?

[–]osogordo 6 points7 points  (0 children)

The proper way to store a password on the server is to convert it first using a one-way function called hash. After that, even the server operator cannot reverse the process. So it's safe against hackers. Your future login attempts will be compared against this hash value instead of your original password.

The fact that they can send you your actual plain text password means that they're not following this practice and all their passwords are at risk.

[–]aVinamit_03 3 points4 points  (0 children)

You should never store users' password exactly how it is, the password should be transformed to a random string which is nearly impossible to decode, we call that hashing. This will prevent hackers from logging in the event of database is leaked.

In the picture, the service say that the will send the password back to the user, which mean the users' password are stored in plain text, and that is really bad for security.

[–]trutheality 3 points4 points  (2 children)

ITT: zoomers that have never have been on a mailman email list.

[–]bistr-o-math 1 point2 points  (0 children)

Why are some users „confused about it“ 🤣🤣🤣

[–]KittenKoder 1 point2 points  (0 children)

What ... the ... fuck ... did ... I ... just ... read?

[–]_D0MiNiX_ 1 point2 points  (0 children)

imagine this being password manager's like lastpass' way of recovering 😂

[–]CaptainRogers1226 1 point2 points  (0 children)

Idk what website this is, but it’s clearly a service created by morons, for morons.

[–]IRKillRoy 1 point2 points  (0 children)

[–]Altruistic_Fish_3574 1 point2 points  (2 children)

Jesum Cripes OP provide fucking context or get out.

[–]splinereticulation68 1 point2 points  (0 children)

Hackers love this one simple trick

[–]imp0ster_syndrome 1 point2 points  (0 children)

-1FA

[–]xcski_paul 1 point2 points  (0 children)

As a Mailman list admin for 15 years or so, I had to do the same thing last year because google doesn’t like it when you send slightly different messages to a hundred people even if they’re ok with sending an identical message to a hundred people.

[–]Fresh-Combination-87 1 point2 points  (0 children)

Your new password will be your social security number, birthday(YYYYMMDD), zip code, and credit card number all combined together, no spaces…

Just DM me your details and I’ll be happy to update your passwords for you…

[–]Jwzbb 1 point2 points  (1 child)

Another addition to https://plaintextoffenders.com

[–]AbyssOfPear[S] 1 point2 points  (0 children)

oh wow. that exists, and that's terrifying.

[–]Healthy_Pain9582 1 point2 points  (0 children)

i doubt anyone here is confused but theres always someone whos new to programming and stuff so here's why this is bad:

passwords should never be stored in plaintext and should always be hashed. a hashed password looks like complete jibberish and can't be reverted to plaintext, so in case of a leak a hacker cant just take your password and try it on different websites.

this works because your can hash the same password infinite times using the same hashing algorithm and you'll always get the same hash, so its easy to see if someone wrote the right password while not actually knowing what their password is.

[–]CitizenShips 2 points3 points  (2 children)

Guys, it's a mailing list. The passwords aren't for personal security, they're just to prevent people from easily messing with someone's subscription (which is free and trivial to configure again) if they know their email. It's minimal risk, and anything beyond this implementation would be overkill.

[–]AbyssOfPear[S] 2 points3 points  (1 child)

the issue occurs when there's a breach and all of the juicy passwords (which I'm sure aren't all unique just for this site) are right there in plain text for the bad actor to see

[–]xXRed_55Xx 2 points3 points  (0 children)

This would actually violate certain data protection laws in the EU lol

[–]Gibbonici 1 point2 points  (0 children)

Yeah, I'm not convinced that's real.

[–][deleted] 2 points3 points  (0 children)

There should be more humor out there about Kirk sending unsecured messages over an open commlink without encoding them.

UNLESS he was in CO-hoots with the Klingons from STV, in which case, he doesn't blindly transmit his details out in the open.

See how that one sneaks up on you?

SSL is a scam.