Hey websites, please don’t email me my passwords!

The other day I signed up for an online service and received the usual welcome email immediately. But that wasn’t the most pleasant welcome!

There was my password – in all its complex glory – in plain text; I got worried with a thought… “Are they storing users’ password at their end?”. And things became clear with another distressing forgot-password e-mail bearing the same password. So even if I created a complex and long password using the Password Generator on the Enpass app, it was just out there.

This is definitely not a good data protection policy where such websites risk the users’ personal details in case their server gets hacked. A lot of users use the same password for most services (which is a very bad practice and security experts always denounce it) and this means that the hacker gets access to their several other accounts. It’s literally frightening and which is why we strongly recommend using unique passwords. Also, we cannot trust the e-mail to be a secure medium to carry our passwords as it is always susceptible to Man In The Middle (MITM) attacks.

We really hope developers and product managers understand the risks of plain-text passwords, and as a user, when you encounter such a practice, make sure you let them know that this is a wrong practice. Point them to PlainTextOffenders maybe… it’s a community initiative to name and shame ‘plain text offenders’.

We believe that online services and websites should not abuse our trust and store our passwords irresponsibly. It’s time all of us spoke against the lazy practice, for a better and secure web.