CNET también está disponible en español.

Ir a español

Don't show this again


A call for the end of plain text passwords

This is a plea for web services to stop sending plain text passwords through email.

One of the many examples of plain text passwords being transmitted through email.

Nothing strikes fear into our hearts like seeing one of our secret passwords, that we have guarded with our lives (well, maybe not so much), displayed in plain text. Even though you would be hard pressed to find anyone who approves of the practice, we find many websites that greet their new users with an email containing their super-secret password. As you open that email you almost feel betrayed. The password that you have worked so hard to protect is right there in front of your eyes.

Even if there is no significant security risk to transmitting passwords via plain text, it gives users the impression that security is not a top priority for the creators of the site. There is no reason for this practice to still be in existence today. Good password management technology for websites is very prevalent. If you can't build a proper password system for your site, just opt for using OpenID or another similar service.

I propose that all sites should have an automated password reset system that either allows the user to create a new password from an authentication link or through a one-time use password, sent to their email. Plain text passwords should never be displayed or sent through email.

No more excuses. Let's squash this lazy practice once and for all.