Kitz Forum
Computer Software => Security => Topic started by: sevenlayermuddle on October 02, 2012, 01:45:29 PM
-
I started the process of resistering a company a few days ago, then decided it was better left til I was sober. But I'd got as far as registering a user name and password.
Shortly afterwards I receive a plain text email, thanking me for registering, and confirming my email address and chosen password, all in plain text.
Unbelievable :wall:
-
Incredible isn't it? This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.
-
Incredible isn't it? This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.
Indeed, I had a similar complaint regarding PC World a few weeks ago. But given all of our expectations of that organisation, it was hardly that surprising.
You expect better from a .gov.uk website!
-
I don't. Sounds like par for the course with HMG IT. It's absolutely disgraceful that the state sets such an appallingly bad example.
-
in fact it looks like I've missed the boat a bit as this story broke a few weeks ago. There are several links to be found to..
http://www.my-scrib.com/corporate-id-theft-companies-house/
Actually though, I think the authors of that story may have missed the point slightly. The 'second password' as they call it actually appears to be an 'authentication code' that is invented by companies house, and which is used together with the password. But whilst it is posted in plain text paper post to the registered office at least the envelope is, I assume, sealed.
In contrast, the email portion which contains the user's chosen password is somewhat akin to sending an open postcard, as opposed to a sealed letter. And if you use that password for any other websites, then they too are immediately compromised by the Companies House email.
-
I agree it does seem poor practice :(
This is common when you register with a web forum or something similar, but I would like to think that business registration would be subject to rather tighter security.
Im not 100% certain on this, but I dont think SMF sends out passwords in plain text and it relies on the member remembering the password they chose. If youve forgotten it, its a full reset of password, rather than sending a reminder email.
-
Im not 100% certain on this, but I dont think SMF sends out passwords in plain text and it relies on the member remembering the password they chose. If youve forgotten it, its a full reset of password, rather than sending a reminder email.
I don't think it applies to SMF, but a lot of forums and commercial sites do send plain text emails to new members, with the password in plain view. Of course they shouldn't really hold a plain text version of the password at all, which is why they have to generate a new one if a member forgets their password. The forum should only hold an encrypted copy of the password, and I'm fairly sure that's what SMF does.
-
I think youre correct eric :)
-
I seem to recall some forums and other websites sending me a temporary computer-generated password initially, which implicitly allows them to validate my email address as part of registration.
That is just about acceptable as I regard the temporary password as 'theirs', and they are responsible for the security of their own registration process. If users wish to have secure access, they simply change that temporary password before using the service for anything they care about.
But I am at a loss to understand why Companies House emailed my pasword at all, doing so served no purpose that I can see, and it was of course my chosen 'permanent' password, not a temporary one.
-
Whilst I dont think sending a password in a email is the end of the world, the underlying factor behind it is more worrying.
Generally if a system is able to tell you your existing password, it generally means its 'stored' unencrypted. That to me is the much bigger concern.