Broken Password Handling

It’s six months since I wrote my rant on password handling and, of course, there are still companies out there who don’t seem to care about handling customers’ passwords with respect. Today I was surprised to find that Six Apart were one of the worst offenders.

Following on from my earlier post I had a quick look at Type Pad. When trying register, I discovered that I had already registered but that I had forgotten my password (actually, I had forgotten that I had registered!) So I clicked the “I forgot my password” link, entered my email address and waited for the email.

Moments later, the email appeared. I was stunned to find that it included not only my password and my username, but also a link to log into Type Pad. Thereby ensuring that anyone who intercepted that email would have all of the information required to log on and use my Type Pad account.

Six Apart are breaking a number of fundamental principles here.

Firstly they are storing customers’ passwords in their database in plain text. This means that anyone who gains access to that database can read anyone’s password.

Then, when asked for a password, they just send it to the user. They should be sending a time-limited link to a URL that the user can use to change the password.

Then, they are unnecessarily sending the username in the same email. Like the Queen and the Prince of Wales, usernames and passwords should never travel together.

And finally, just in case anyone who intercepts the email isn’t sure which system they’ve just been handed a login to – they also include a link to the login page on their site.

I realise that people’s blogs don’t need the same level of security as a banking system. But it’s the principle of the thing. They should be taking more care of your password. Every web site should be taking care of its users’ passwords. It’s a matter of respect.

Try this experiment. Click the “I forgot my password” link on three or four of the web sites that you are registered with. See how many of them send back your password in plain text. I bet it’s a lot. Write an email complaining if they do.

I’ve raised a bug report against Type Pad. I’ll let you know what happens.

p.s. Incidently, someone in Six Apart must know the right way to handle passwords. The passwords in the Movable Type database are all encrypted. But that requirement was obviously dropped when they were writing the specifications for Type Pad.

Leave a Reply

Your email address will not be published. Required fields are marked *