Did You Receive a Password via Email? Delete It ASAP!
You've all probably been in a situation where you've forgotten your password. What you haven't done is think about the numerous decisions that need to be made in order to ensure that the password recovery mechanisms at websites and applications are reliable, user-friendly, and crucially, secure.
In most cases, after hitting the "Forgot Password?" link, you enter your email address (or username), and a message is sent to your inbox. In it, you either have a set of login credentials that let you get back into your account, or a link that guides you through a process that sometimes includes several additional steps.
Needless to say, having working login credentials directly in your inbox is the more convenient option. However, if a vendor or a website owner sends you an email that has a valid username and password combination in it, they either don't care about the safety of your data or their knowledge of information security is severely lacking.
Email is not a secure way of communicating
We've touched upon the problem in the past, but just in case you haven't been paying attention: emails should not be used for transferring sensitive information. One of the main reasons for this is the fact that in most cases, emails aren't encrypted by default meaning that hackers who manage to intercept them can read the messages.
Furthermore, the content of your inbox is stored in the cloud and/or locally. The information is handled by your provider which may or may not have implemented the best security practices. It's also processed by your email client which may or may not be patched up properly.
The upshot is, emails don't provide the level of security needed to protect your usernames, passwords, or indeed any other piece of sensitive information. If a service provider you're using sends your login credentials via emails, you might want to reconsider whether you should continue doing business with them. There are other reasons for this as well.
An account lockout attack that even the most unsophisticated pranksters can pull off
We should admit that this is a very specific scenario, but considering how many websites use the password reset mechanism we're about to describe, we reckon that it's worth mentioning.
The idea is, you click on the "Forgot Password?" link, enter your email (or username), and the website automatically creates a new password and assigns it to your account. Your new password is then sent to your inbox, and you use it to sign in. Depending on your preference, you can choose to either stick with the new password or swap it for something you've thought of.
We've established already that the password should get nowhere near your inbox, but here, we see another problem. If the whole password reset mechanism relies on entering the correct email, there's nothing to stop a prankster from temporarily locking you out of your account. All they need to do is click the "Forgot Password?" link and enter your email address. Some time may pass before you realize what's going on, and if the website doesn't provide an easy way of changing the email address associated with your account, the prankster can continue resetting your password. This, sadly, isn't the biggest issue.
If a password can be emailed, it's not stored properly
It's a strange world we live in. Insecure password storage can lead to a horrific data breach and break the attacked vendor's reputation. And yet, too many websites and service providers continue to struggle with the simple act of securely storing passwords.
There are three common ways of storing passwords, and only one of them provides sufficient security:
- Plain text
Imagine an Excel spreadsheet with two columns: "Username" and "Password". The password you enter when signing up is simply pasted in the "Password" column. A hacker steals the spreadsheet, and it's pretty much all over for your account as well as for the vendor.
Encryption means that the content of the "Password" column next to your username looks nothing like your real password, which is a good thing because the hackers can't use it to hijack your account. The bad news is, it can be returned back to its original state with the help of an encryption key. The very bad news is that encryption keys often aren't as well protected as they should be.
- Hashed and salted
Again, your password is turned into an unintelligible string of characters that have nothing to do with what you entered in the field. This time, however, there is no encryption key that can reverse the process. When you log in, the website hashes your password again and checks the result against the value that was stored. Even so, practical attacks on the hash values themselves are possible which is why adding a salt is a good idea.
A cryptographic salt is a string of characters attached to the password before the hashing begins. It ensures that two identical passwords produce different hash values.
To summarize, if a password can theoretically be seen or converted in its plain text form, it's not stored properly. If it can be sent over email in plain text, the problems are even bigger.
Although passwords are such an important part of our online security, few vendors are willing to explain what they do to protect them. As a result, you can never be sure that your password is stored correctly. If it arrives via an email, however, you can be pretty sure that it's NOT.