Do not send me my password via Email
A few days ago, for the first time in literally years, I received an Email from a website i signed up to, containing the password I used to sign up.
Here's why it's a terrible idea:
- Seeing my password on that Email makes me assume the password is being saved as plain text on the website's database.
This means, as soon as someone hacks the DB (happens to the biggest brands in the world, can happen to anyone) - my password is out. - The website sends an unencrypted Email - that in itself could be intercepted by someone else.
- If my Email is hacked, and I manage to eventually get my access back, my account on that website could be easily hacked as well (without the need to reset the password, so I wouldn't even know about it).
The simplest solution would be encrypting the password via SHA1, but SHA is now breakable.
I suggest using Bcrypt, StackOverflow goes over this (for PHP) solution and it is one of the safest way of storing passwords.
In fact, Meteor Accounts, Meteor's default User Accounts System, uses Bcrypt out of the box!
If you do encounter a website that sends your password via Email, please submit it to Plain Text Offenders, they have a handy collection of websites that still do that.
Posted in Technology