Don’t Make This Capital-B Basic Security Mistake
With online security concerns bigger and more complicated than ever, it's important not to forget the simple stuff along the way. Here's a basic security mistake a lot of websites are guilty of. Make sure your association isn't screwing this one up, too.
No naming names, but last week I was emailed something I was shocked to receive: The password I just typed in on a website.
In some rare cases it is OK to receive a password in an automated email—say, a temporary password that you’ll reset immediately.
But this wasn’t such a case. This was a startup that emailed me a password to an account I had just created on its website. If (heaven forbid) this email account was hacked, the hacker would not only have access to my email account but also the account for that startup. Even worse, if I was surfing the internet on an unsecured connection, anyone who was snooping data could catch a glimpse of that password. And when that email was sent, it likely went through a couple of intermediary email servers, which also, for a brief second, gained an automated glimpse of this password.
For a startup, that’s bad form, and I told them so. They responded and told me that since I had no data stored with them yet, I shouldn’t have any concerns. I’m not gonna lie—it left a bad taste in my mouth. How am I supposed to trust this service when it makes such a basic security mistake?
Naming and Shaming
This is not a new problem. In fact, it’s a pretty common one. Way back in 2012, security journalist Brian Krebs (a guy who knows a thing or two about bad apples, by the way) ran into a problem with another service that did the exact same thing. He did a password reset, and it emailed him the raw password, in a format for all the world to see.
“The site was used to store inconsequential files and images, but I cancelled my subscription nonetheless because the company’s response to my password reset request proved that they were storing my password without even making the weakest attempts at encrypting the information or storing it in a protected format,” Krebs wrote in a blog post.
Krebs’ 2012 post also introduced me to an interesting site that I think highlights exactly how widespread this problem is. The service, Plaintext Offenders, is a Tumblr page that names-and-shames companies and organizations that insecurely distribute passwords, via email, over plain text. The list is long, goes back years, and features offenders both big and small.
And they’re sites that you use on a daily basis, too. On the not-nearly-long-enough list of reformed offenders is Smashing Magazine, a prominent design blog, and Newegg, a major online electronics retailer.
Some out there would probably use this as an opportunity to name-and-shame, but I think it’s way more helpful to the world to offer a little advice on basic security.
Let’s explain why this is a problem from a public relations standpoint.
For those who know something about security—the IT staffs of the world, those who read Brian Krebs’ blog—open password sharing is a sign that you don’t take security seriously, which can be a major deterrent for businesses.
In a world where large organizations get their security poked and prodded on a daily basis, not emailing users passwords—and instead, sending along a secured link to a “password reset” page—should be a capital-B basic strategy to ensure security. For those eyeing potential targets, this is a giant dog whistle, a way to draw in exactly the kind of attention you don’t want.
But for those who don’t know nearly as much about security, it may not specifically spell out a problem, but it nonetheless creates one that should be discussed and remedied. It’s better to be on top of this problem now than to have to respond to it later.
Don’t Ignore Security. Incentivize It.
In 2004, it was pretty common for websites or organizations with login mechanisms to use the plaintext approach to sharing passwords. But this is 2016. We’re in an era where security means more from both a business and technology perspective, and we should do things to better incentivize it.
One of my favorite examples of this comes from the email service MailChimp. A couple of years ago, the company announced it would give a 10 percent discount to users who turned on two-factor authentication to secure their accounts.
“Previously, we gave a 2 percent discount, which was probably only significant for high volume senders,” the company wrote in a blog post. “Ten percent makes it significant for everybody.”
This is a business strategy that can be borrowed from and added to. What if, instead of sending plaintext passwords to your members, you convinced them to use secure authentication by offering a membership discount?
That’s what we call killing two birds with one stone.