Hey websites, please don't email me my passwords!

The other day I signed up for an online service and received the usual welcome email immediately. But that wasn’t the most pleasant welcome!

There was my password – in all its complex glory – in plain text; I got worried with a thought… “Are they storing users’ password at their end?”. And things became clear with another distressing forgot-password e-mail bearing the same password. So even if I created a complex and long password using the Password Generator on the Enpass app, it was just out there.

This is definitely not a good data protection policy where such websites risk the users' personal details in case their server gets hacked. A lot of users use the same password for most services (which is a very bad practice and security experts always denounce it) and this means that the hacker gets access to their several other accounts. It's literally frightening and which is why we strongly recommend using unique passwords. Also, we cannot trust the e-mail to be a secure medium to carry our passwords as it is always susceptible to Man In The Middle (MITM) attacks.

We really hope developers and product managers understand the risks of plain-text passwords, and as a user, when you encounter such a practice, make sure you let them know that this is a wrong practice. Point them to PlainTextOffenders maybe… it’s a community initiative to name and shame ‘plain text offenders’.

We believe that online services and websites should not abuse our trust and store our passwords irresponsibly. It’s time all of us spoke against the lazy practice, for a better and secure web.



Bonsi 1 year, 1 month ago


Tom Scott explains this all very well.

And getting your password in plaintext back from someone -> stored without hashing and salting -> Insecure.


H 1 year ago

Not necessarily.

Email when registering can be sent within the same code that signs you up. Before hashing.

The problem is if they send you email with passwords when you forget it.


Shady 1 year ago

In fact your password should never appear clearly anywhere, if a password is send by email he could be intercepted by many ways. The point is not to know if the password is hached on the website database, the point is that your password should NEVER appear (hached or not) anywhere.


TecnoBreak 2 months, 4 weeks ago

This is one of the reasons why I often prefer not to register in some places. Others offer the possibility of registering using social networks, which is also not safe. In my case, I use temporary emails and I use VPN to create the accounts.


New Comment


Never miss an update. Subscribe to receieve an updates whenever we post something in the blog.

RSS / Atom