On May 27, 2015 at 14:22 jo...@iecc.com (John R. Levine) wrote:
> > The OP was correct, if they can send you your cleartext password then
> > their security practices are inadequate, period.
> >
> > Unless I misunderstand what you're saying (I sort of hope I do) this
> > is Security 101.
>
> As I've said a couple of times already, but perhaps without the capital
> letters, from a security point of view, generating a NEW PASSWORD and
> sending it in cleartext is no worse than sending you a one time reset
> link. Either way, if a bad guy can intercept your mail, you lose.
>
> A few moments' thought will confirm this has nothing to do with the way
> passwords are stored within the mail system's database.
Sure, I agree, but that's not what the post I was responding to was
discussing so caps wouldn't make much difference.
But only the link can be secured by asking a security question before
first use.
For the cleartext password an attacker only has to wait for you to
answer the question and hope you don't immediately change the
password.
I suppose asking a question on first use of a new cleartext password
AND forcing you to change that password immediately is about the same
as the link, particularly if it doesn't let you use that same
password.
But storing cleartext passwords, encrypted or not, is a bad and
indefensible practice.
I remember a common dial-up login protocol which required the server
to encrypt initial interaction with the customer's password so you
absolutely had to have their cleartext password if they were ever to
log in again. What was it, PAP or CHAP or something like that. Ugh, we
resisted that.
--
-Barry Shein
The World | b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
