I just signed up for Site5 Q&A (strange that I had to as I already have a hosting account) and I just got a rather disturbing automated email with my username and password completely in plaintext.
A system with good security would never even be able to show me my password in plaintext as it would be encrypted / hashed / etc when I put enter it for the first time and it would *never* stored in plaintext.
These days it’s not uncommon to hear of hackers breaching various companies and stealing user information. The thought of my password being available in plaintext on your servers honestly makes me question what other bad security policies you have. It really undermines any confidence I had in the company as a whole.
Why are Site5 Q&A account passwords sent in plaintext? Will this ever be changed? Are any other account passwords (namely hosting accounts) also stored in plaintext?
]
MENU
Answer #1
Hello Jeff,
Yes, sending passwords in plain text is not a perfect solution. Ideally, these would be encrypted, and you would need to decrypt them on your end. That process raises several issues, however – it means we would need to provide you with the key to decrypt the password, at the very least. That means that we have two options:
1 – have an individual key for each customer
or
2 – use one key for everyone
Option 1 has a few problems. That is a massive amount of data to keep track of, and having that many keys basically means you have that many points of failure when resending a password on request.
Option 2 raises a pretty big security concern as well. If everyone uses the same key, then everyone can decrypt any password that they receive.
It is far easier, and safer, to simply reset your password once you receive it. We generate random passwords and send them to you, and you should then immediately change it to something secure. That way we do not have a record of it, at all. Our team cannot see your passwords, and any request to have them resent is automated. It often requires resetting them as part of the process.