Monday, October 04, 2010

How NOT to send account info by mail

(Do i really have to explain this?)
So, i registered at yet another site here the other day, out of curiosity on password practices and so on. Sure, registration using https was in place. I mean, seriously, its 2010, the bad guys are everywhere it seems. Of course you do SSL encryption of account registration on your website, right? Well, the world still has surprises for us all.

See; the picture above is a screenshot - heavily obfuscated - I took from the e-mail I received from the website after completing the registration. A site that may keep very personal information about myself over time (hence the obfuscation). The e-mail was sent without SSL/TLS encryption, again adding to my feature request to Google mail and Microsoft Live Hotmail for STARTTLS (RFC3207) support.

Anyway, despite the lack of SSL/TLS encryption on its way from sender to receiver, how STUPID can anyone possibly be, setting up a service that will send complete URL and full registration info including username/password in a single unencrypted e-mail back to the user after registration? I wonder how these people do password recovery, in case of lost password? (Oh wait... no... I'm not sure I really want to know...)

So I'll end this really quick and easy blog post by asking a simple question:
I'd like to hear from anyone who have received the same type of e-mail from what-should-be serious and professional services on the Internet. (I've got plans for a bigger blog post here...)

Hey, you can even send it to me by encrypted e-mail: per -> thorsheim dot net. My public key is available from several key servers.


  1. This is the same reason why I often run a "I forgot my password" check on sites that I sign up to. The scary thing for me is not the un-encrypted e-mail, but the fact that it looks like the password they sent you is your actual password and not a one-time password for your initial log-in. That means they probably store your plaintext password, (instead of a hash of your password), in their database.

    That's really scary since A) it shows that the site probably isn't using an updated database/authentication framework, (or worse yet they threw it together themselves), and B) Attackers often break into sites and if the passwords are stored in plaintext, use them to access other accounts that belong to the users (hey they have your username and e-mail address as well). This isn't a theoretical attack. I've been analyzing several disclosed carder forums, (where cyber-criminals sell their services and trade stories), and using stolen passwords from sites is a very active attack vector.

    I know I'm preaching to the choir here. Basically I just wanted to say thanks for posting this since it's an issue that deserves a lot of attention.

  2. You are preaching to the choir for sure Matt! :-)

    Now for the important part: any relevant links for "standards" doing these things? Or should I/we go for a joint project testing 100+ of the larger sites, documenting their approach into a matrix and publishing the TOP 10 list?

    Just another idea from an endless stream... ;-)

  3. Two really good papers came out on this subject just a couple of months ago. Joseph Bonneau wrote an excellent paper which is available at:

    And Dinei Florencio and Cormac Herley over at Microsoft published a similar study entitled: "Where do Security Policies Come From?"

  4. ... and the price for the fastest response goes to <you-know-who-you-are), for sending me 6 - SIX - examples of similar e-mails within 15 minutes after I posted this piece. I have no choice but to dig deeper into this now i guess. :-)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.