Businesses emailing passwords in 2017?!

Forums › Off topic › Businesses emailing passwords in 2017?!

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#207992 22-Jan-2017 15:27

So I created an account with No 1 Fitness today to purchase something; in my confirmation email was my password, which I'd randomly generated using Lastpass. May as well not have bothered if this is their way of working!

How acceptable is this kind of practice in 2017? Are there any excuses for this?

Does this mean it is likely that my password will be stored unencrypted in their system?

No 1 Fitness appears to be owned by Torpedo 7 - which is in turn I think is owned by The Warehouse. So it's not like a small outfit that may not know any better...

I've emailed them to question their practice, so will be in interested to see if I get a meaningful response...

timmmay

20580 posts

Uber Geek

Trusted

Lifetime subscriber

#1707470 22-Jan-2017 15:32

It increases the chances the password is stored unencrypted, but they can create the password before it's encrypted and stored. It's not really good practice.

richms

28177 posts

Uber Geek

Trusted

Lifetime subscriber

#1707472 22-Jan-2017 15:43

Yeah its pretty terrible, but they have to weigh up the support costs vs the risk of someones password being found in their email. I know of a site that emails people every password change. Drives the IT guys crazy but without it they were constantly having to help customers thru password changes since they would forget them. Its not all about security in business, plenty of other usability things have to take into consideration too.

Richard rich.ms

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1707474 22-Jan-2017 15:47

How acceptable is it? That defines that you class as acceptable. It's not best practice but it's very common.

Password retrieval via email is still common. I'd say in the past few months I've had 2-3 sites that have sent me emails in clear text for password recovery.

Bananabob

511 posts

Ultimate Geek

ID Verified

Trusted

#1707483 22-Jan-2017 16:15

I always change my password after each reminder I am sent. That way the stored password is not the one in the email. I then hope their customer database is encrypted.

pbgben

261 posts

Ultimate Geek

#1707572 22-Jan-2017 18:21

Retrieving a password once an account is created or the password has been updated is not the worst thing. However, if they send the password in an email as a "Forgot Password" method then god help us.

Saying that, you should not be using the same passwords across any platforms/sites. Get a password manager if you need to or write it down in a book (This is much better then having the same on every site)

$5USD 1GB RAM, 10GB SSD VPS in SYD

mattwnz

20157 posts

Uber Geek

#1707573 22-Jan-2017 18:23

What about the websites that have login pages, or pages you have to enter your personal details and username password etc, that aren't using a security certificate. I think that is worse. But there is a balance between security, practicability, ease of use and cost of supporting it. IMO the whole username/password system belongs in the 20th century. Iris and finger print scanning is now becoming more common, but it needs a central system, so users don't have to rely on each businesses system for storing and keeping that info secure.

pbgben

261 posts

Ultimate Geek

#1707830 23-Jan-2017 09:48

mattwnz:

What about the websites that have login pages, or pages you have to enter your personal details and username password etc, that aren't using a security certificate. I think that is worse. But there is a balance between security, practicability, ease of use and cost of supporting it. IMO the whole username/password system belongs in the 20th century. Iris and finger print scanning is now becoming more common, but it needs a central system, so users don't have to rely on each businesses system for storing and keeping that info secure.

Seeing that SSL is now free, there is no reason for anyone to go without. But politics within a company have always stifled things. I use two factor where possible, and even then Its between authy and google athenticator because #choice

$5USD 1GB RAM, 10GB SSD VPS in SYD

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

nathan

5695 posts

Uber Geek
Inactive user

#1707924 23-Jan-2017 11:15

its acceptable enough until your vote with your feet and they realize customers care about security