You're Doing It Wrong: Passwords in Plaintext

This article is cross-posted on the NYSTEC Info Security Advisor blog.

Customer:  I forgot my password.

Website:  No problem! Here’s your new password via email — fully visible for your convenience!


Oh, the pain. The pain.



There’s so much wrong here.

First, email is not a secure way to send confidential information. Emailing a password makes as much sense as posting an image of your new credit card and CVV number on Facebook. How should you be getting that new password instead? Check out the Open Web Application Security Project (OWASP) guidelines.

Second, getting a password sent to you in plaintext (or cleartext) means your password is being stored in plaintext. Not encoded. Visible to anyone. If that website becomes compromised or your email is exposed, your password could be shared with every hacker in the world.

Bonus badness: If a hacker gains access to your plaintext password, and you use the same password for all of your accounts, have fun trying to recover all of those accounts after the hacker changes your password(s) and email address!

If a website sends you a password in plaintext, it’s okay to cringe. The good news is that it may not be completely terrible. If it’s a one-time password (i.e., a temporary password), that’s sort of passable, especially if it comes with an expiration date. (A far better solution would have been getting a one-time link to click.)

However, if you’re emailed your real password in plaintext, that is completely terrible. Do not store any personal information on that site — credit card numbers, bank accounts, and passwords should be considered off-limits. And never use that password anywhere else.

Passwords are the most valuable bit of information you have. Something that valuable deserves respect. If a website is saving your password in plaintext, then your password — and you — aren’t getting the respect you deserve.

The links in this content are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.