Incredibly ignorant statement. If it's encrypted in a reversible format then it's not cleartext. If it's being sent in a confirmation email, then it could even be stored as a one-way hash: password extracted from the form, inserted into email, hashed and stored (This is what WordPress, for example, does).
A case can be made against both of those procedures, but that is a separate issue from his statement being ignorant.
It's not foolproof, but for stupid free websites (that's what we're talking about right?), storing encrypted passwords isn't an automatic gimme for the attacker.
Besides, what is the utility of sending such an email. If certain software is open source and I can assure they are doing the right thing I will be much more comfortable.
1. I didn't used to do this, but I got so many requests that I eventually caved. 2. No money changes hands on the site.
For example, for HN, you can use:
orycPASSWORDy
[2 last letters][2 first letters][master password][1 first letter]
Good idea to mix and match numbers in the master password for added security. So for HN it can be: orycpassword1y
The good thing is that you only need to remember a single password for all your sites, yet they are all different. And if you ever forget a password, you can figure out what it was by simply looking at the url.
Password schemes like this are still inherently breakable; as soon as someone gets your key password then the rest is trivial to figure out - so why bother with the complication?
+ what do you do when you aren't using your own computer. Want to check your email at work? Nope sorry, gotta provide the 25 digit randomly generated password.
Nothing is unbreakable, if someone wants your password they'll get it. For the password generator case they can just break into your house and steal your computer. Or organize a group of mercenaries to take hostages at AT&T to gain access to your packets....hey we are talking about a nemesis right?
And here is an added bonus...how do you know that random password generator app isn't sending all your passwords to a master file? Whoa, did I just blow your mind?
Different passwords is all you need for protection. That way if the company loses your username/passwords, the bots that will be using that information to check the passwords on other sites, won't get a hit.
Boycott might be too strong of a word. I just want to bring attention to this point that the user community care about security and this is not a good practice.
Not sure what is difference that made people care about this but not that, but open to enlightenment.
Your post looks pretty relevant, related and good. I have voted it up if that helps.
http://www.techconsumer.com/2008/02/11/bad-form-companies-st...
Thank you tomfakes for the comment.
That'll go down real well with them. I think I'll skip this one.
Although there are better ways to setup an account and may be gogle app should force the user to change their password on their first login but this is not the same as me setting up my own account and getting an email with my own password I just typed twice to register.
