Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicBusinesses emailing passwords in 2017?!
jonathan18

7415 posts

Uber Geek
+1 received by user: 2850

ID Verified
Trusted

#207992 22-Jan-2017 15:27
Send private message

So I created an account with No 1 Fitness today to purchase something; in my confirmation email was my password, which I'd randomly generated using Lastpass. May as well not have bothered if this is their way of working!

 

How acceptable is this kind of practice in 2017? Are there any excuses for this?

 

Does this mean it is likely that my password will be stored unencrypted in their system?

 

No 1 Fitness appears to be owned by Torpedo 7 - which is in turn I think is owned by The Warehouse. So it's not like a small outfit that may not know any better...

 

I've emailed them to question their practice, so will be in interested to see if I get a meaningful response...

Create new topic
timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #1707470 22-Jan-2017 15:32
Send private message

It increases the chances the password is stored unencrypted, but they can create the password before it's encrypted and stored. It's not really good practice.



richms
29098 posts

Uber Geek
+1 received by user: 10208

Trusted
Lifetime subscriber

  #1707472 22-Jan-2017 15:43
Send private message

Yeah its pretty terrible, but they have to weigh up the support costs vs the risk of someones password being found in their email. I know of a site that emails people every password change. Drives the IT guys crazy but without it they were constantly having to help customers thru password changes since they would forget them. Its not all about security in business, plenty of other usability things have to take into consideration too.




Richard rich.ms

sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1707474 22-Jan-2017 15:47
Send private message

How acceptable is it? That defines that you class as acceptable. It's not best practice but it's very common.

 

Password retrieval via email is still common. I'd say in the past few months I've had 2-3 sites that have sent me emails in clear text for password recovery.

 

 



Bananabob
512 posts

Ultimate Geek
+1 received by user: 119

ID Verified
Trusted

  #1707483 22-Jan-2017 16:15
Send private message

I always change my password after each reminder I am sent. That way the stored password is not the one in the email. I then hope their customer database is encrypted.  

pbgben
261 posts

Ultimate Geek
+1 received by user: 48


  #1707572 22-Jan-2017 18:21
Send private message

Retrieving a password once an account is created or the password has been updated is not the worst thing. However, if they send the password in an email as a "Forgot Password" method then god help us. 

 

Saying that, you should not be using the same passwords across any platforms/sites. Get a password manager if you need to or write it down in a book (This is much better then having the same on every site)




 

$5USD 1GB RAM, 10GB SSD VPS in SYD

mattwnz
20515 posts

Uber Geek
+1 received by user: 4795


  #1707573 22-Jan-2017 18:23
Send private message

What about the websites that have login pages, or pages you have to enter your personal details and username password etc, that aren't using a security certificate. I think that is worse. But there is a balance between security, practicability, ease of use and cost of supporting it. IMO the whole username/password system belongs in the 20th century. Iris and finger print scanning  is now becoming more common, but it needs a central system, so users don't have to rely on each businesses system for storing and keeping that info secure.

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
pbgben
261 posts

Ultimate Geek
+1 received by user: 48


  #1707830 23-Jan-2017 09:48
Send private message

mattwnz:

 

What about the websites that have login pages, or pages you have to enter your personal details and username password etc, that aren't using a security certificate. I think that is worse. But there is a balance between security, practicability, ease of use and cost of supporting it. IMO the whole username/password system belongs in the 20th century. Iris and finger print scanning  is now becoming more common, but it needs a central system, so users don't have to rely on each businesses system for storing and keeping that info secure.

 

 

 

 

Seeing that SSL is now free, there is no reason for anyone to go without. But politics within a company have always stifled things. I use two factor where possible, and even then Its between authy and google athenticator because #choice




 

$5USD 1GB RAM, 10GB SSD VPS in SYD

nathan
5695 posts

Uber Geek
+1 received by user: 1630
Inactive user


  #1707924 23-Jan-2017 11:15
Send private message

its acceptable enough until your vote with your feet and they realize customers care about security

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright