undefined | Better HN

0 pointsDylan168075y ago0 comments

With two important notes:

1) A site that emails you your password might not be storing it in plain text. They're similar but separate problems.

2) A site that sends you a login link could be just as bad as the sites listed here, if that login link doesn't expire (and you used a unique password). It's a more subtle way of having the same problem.

0 comments

Thorrez5y ago

For 2, if it's a password that the user chose, the site should never email it, because the user likely reused that password across many sites, and someone who snoops on the user's email (say a housemate) can get the password to a ton of sites.

If it's a password generated by the site, then it's actually fine to email it. Although you likely don't want it too early in the email that it would show up in a phone notification or in a body summary in gmail.

GoblinSlayer5y ago

Many sites are wrongly listed there, like https://plaintextoffenders.com/post/629608281322733568/qnx-s...

1010085y ago

Honest question: If you send it on the email without storing (just sending appending the $password variable to the email body), what would be the problem?

UncleMeat5y ago

Some email is still sent unencrypted over the web so people snooping on traffic could see it.

GoblinSlayer5y ago

Not hypothetical https://plaintextoffenders.com/post/628974096028434433/movis...

thedanbob5y ago

Any mail server the email happens to pass through is able to read/log the entire content of the message.

j / k navigate · click thread line to collapse

0 pointsDylan168075y ago0 comments

With two important notes:

1) A site that emails you your password might not be storing it in plain text. They're similar but separate problems.

0 comments

Thorrez5y ago

GoblinSlayer5y ago

Many sites are wrongly listed there, like https://plaintextoffenders.com/post/629608281322733568/qnx-s...

1010085y ago

Honest question: If you send it on the email without storing (just sending appending the $password variable to the email body), what would be the problem?

UncleMeat5y ago

Some email is still sent unencrypted over the web so people snooping on traffic could see it.

GoblinSlayer5y ago

Not hypothetical https://plaintextoffenders.com/post/628974096028434433/movis...

thedanbob5y ago

Any mail server the email happens to pass through is able to read/log the entire content of the message.

j / k navigate · click thread line to collapse