Why emailing passwords is a bad idea.

You may be reading this because somebody has got in touch and complained about you sending them their password as part of your signup process or 'forgotten password' function. I hope I can explain why this is not a good idea.

Times Change

Like everything else to do with computers, the world of internet security is constantly evolving. Ideas that seemed great just a few years ago turn out to be not such a good idea, and unfortunately this is one of them.

Best Practice

There are a number of reasons why emailing passwords to people is now considered an unwise idea.

  1. Email was not originally designed to be secure. Emails are often delivered in clear text over the internet and stored as easily readable files on servers. Messages can also bounce to unexpected places when something goes wrong and people sometimes share email accounts. If you email a password, consider that an unauthorised person might gain access to your service. That is probably not something that you want, especially if that can result in reputation damage or credit card chargebacks.

  2. Humans aren't very good at remembering good passwords, so people often use the same password for many services. This means that if the password is revealed other services may be accessed. If this includes internet banking, social media or email account information, the consequences could be significant. When you accept a password and other personal information from a customer, you are taking responsibility for keeping that information safe.

  3. If you are able to email a password, it likely means that you are storing the password in plain text. This means that if your site is compromised attackers can potentially make off with the email addresses and passwords belonging to your users. This annoys customers and leads to bad publicity, which will be something you want to avoid. If your site is storing passwords insecurely, there is an increased likelihood that it has other security issues. You may believe that your site is secure, but with successful attacks against massive names like Adobe, Snapchat and Yahoo leaking customer passwords, it is best not to take the risk.

What should I do?

As of early 2015, you should consider the following at minimum:

  1. Don't store passwords in plain text. You (or the product you choose) should use a one-way hash with key strengthening, such as bcrypt or PBKDF2. This may sound complex, but it is a way of turning a password into a form where you can verify that the right password has been used, but you can't tell what the original password is. A bonus side effect of these 'hash functions' is that they permit passwords of any length.

  2. You should also not encrypt the password in a manner that means it can be decrypted later on, as this is likely to be inadequate - think of it like using a padlock, but keeping the key next to it.

  3. Don't email a copy of the password when somebody signs up.

  4. The best way to handle forgotten passwords is to send the customer a link that will allow them to set a new password. It should be valid only for a short period (say 24 hours), and must stop working after the password has been changed.

  5. Passwords should always be transmitted securely - this means your site uses HTTPS and the little padlock appears in the browser.

I don't understand this. I just sell things through my website.

If your site does any of the following, then it is likely that it has aspects that are not adequately secure:

Hopefully you can ask the people responsible for your site or the vendor of product that you use to help you out. Alternatively, please consider engaging the services of somebody who does understand the detail on this page.

Contact: site@spod.cx