This post was originally written January 17, 2017. I'm migrating all posts from my personal blog onto dev.to
Recently, I registered for a new online community for ladies in technology. Part of the whole "get-out-there" goal. I went through the standard process of signing up with my email, using LastPass to generate a new password and save the entry in my vault, so on and so forth. I was pretty alarmed when I received an email half a minute later with all my login details... including the password in plaintext!
"Congratulations on entering the tech community!
The login information for your account is:
Email: email@email
Password: password
..."
What are your thoughts on this? I asked around - it seems like this used to be standard practice. It's old, but still fine to use.
I explored the community a bit more and it was clear that the website doesn't handle any personal information about its users. There's no profile or chat section. The website is mostly links to local events and job postings. It's clear this isn't a high-security venture and strong password protection may not be necessary. That said, I truly think all services should take every step they can to help users protect and increase their online security. What if I wasn't using a password generator, and my unique password was actually already in use on another platform? Oops.
As an alternative, look at how Slack handles new users. When registering for a new channel, you receive a little email like so:
"Your Slack Account Information
Hi Erika,
Welcome to Slack! You've joined the team teamName. In case it's handy,
here's a copy of your account details:
Team Name: teamName
Team Domain: http://teamURL
Sign-in Email Address: email@email
..."
This serves the same purpose with all the info you need without the password. I like how it doesn't assume my email inbox is absolutely secure while still providing useful information I can archive.
I reached out to the new community's help desk and was really happy with the response. The company they hired said it's standard to include the password, but the community agreed that it should be removed for the extra security and so it will be phased out.
Top comments (2)
Whether this was ever common practice, it really should be impossible for an app to send you a password in plain text.
It’s scary how much trust we put in web platforms which could be doing anything.
Regarding passwords, if we’re generating random passwords, then at least the app can only leak that password, and not your re-used password.
Well, they can send you the password before encrypting it and adding to the database. Yet I agree with Ben that no app should ever send you your password. Only the link to reset it.