8

I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:

- apply for password reset
- get a mail
- confirm the mail
(So far, so good)

- get a mail with a new CLEAR TEXT PASSWORD

Is this the stone age!?

You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.

All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)

If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.

At no point should the password ever be stored or transmitted in any other medium.

Comments
  • 1
    Just because they are sending you the password in plaintext, does not necessarily mean that they are storing it as plaintext.
  • 2
    @feroza although they might not be storing it in plaintext, that doesn't mean that the email client isn't storing it in plaintext...
  • 0
    Are you talking about xda developers?
  • 0
    @djlazz3
    Well, the first thing to do is changing it again, so that's not really a problem. Only those who have access to your email account will see the password, and they can click the link as well.
  • 0
    @feroza how would that be possible?
Add Comment