Password by mail
I always look askance at the letter when they send me my password in clear text right after I registered somewhere. I'm dumb? Did I forget him right away? I wrote it the same way twice the same way during registration? I can’t poke on the “Forgot password” button?
But the site superjob.ru I was simply discouraged! They sent a useless letter from the series, if you don’t know, then we have such a service, and at the same time they reminded me of my registration data in the letter: E-mail, in case I’m a fool and don’t know which email I am reading from and the password , in case someone else wants to know him, probably. I politely expressed my opinion on this directly to the manager whose signature was in the letter. In response, they explained to me that only me should read my mail, and they sent the password, in case I “forgot or lost it”. To my detailed explanations that it is not necessary to do this, because it is in any case not safe and that the password, I will ask myself, if necessary, they wrote me nonsense. In short, the meaning is: “We have the function“ I forgot the password ”, but many either forget or lose their password. " Where is the logic??? And at the end of the letter, an excuse: "We will take into account your recommendations when working to improve our service and consider the possibility of making changes."
I promised them to write this post, I write. Actually, I just want to raise this question. Is there someone who believes that you need to send him his password in clear form, immediately after registration? And who believes that such reminders have the right to exist?
My personal opinion: seeing a password in clear text never makes sense. For this, the password input field has such properties. Moreover, I believe that it should not even be stored anywhere, this is not necessary in order to verify the correctness of my password during login. And even when requesting a forgotten password, the correct services generate a new password and send it. Come in and put the one you need.
I remembered another point: in addition to the fact that the letter contained my password, there was also a link where you can access the site without a password. Those. too lazy to remember the password? There he is! Too lazy to introduce it? Click on the link!
PS I'm not paranoid. But it seems to me that this is already too much. I wanted to discuss sending mail passwords as a phenomenon.
PPS Could not post to the "Information Security" blog. I do not know why. A habr knows, but does not say: "Some error ... We know ..."
But the site superjob.ru I was simply discouraged! They sent a useless letter from the series, if you don’t know, then we have such a service, and at the same time they reminded me of my registration data in the letter: E-mail, in case I’m a fool and don’t know which email I am reading from and the password , in case someone else wants to know him, probably. I politely expressed my opinion on this directly to the manager whose signature was in the letter. In response, they explained to me that only me should read my mail, and they sent the password, in case I “forgot or lost it”. To my detailed explanations that it is not necessary to do this, because it is in any case not safe and that the password, I will ask myself, if necessary, they wrote me nonsense. In short, the meaning is: “We have the function“ I forgot the password ”, but many either forget or lose their password. " Where is the logic??? And at the end of the letter, an excuse: "We will take into account your recommendations when working to improve our service and consider the possibility of making changes."
I promised them to write this post, I write. Actually, I just want to raise this question. Is there someone who believes that you need to send him his password in clear form, immediately after registration? And who believes that such reminders have the right to exist?
My personal opinion: seeing a password in clear text never makes sense. For this, the password input field has such properties. Moreover, I believe that it should not even be stored anywhere, this is not necessary in order to verify the correctness of my password during login. And even when requesting a forgotten password, the correct services generate a new password and send it. Come in and put the one you need.
I remembered another point: in addition to the fact that the letter contained my password, there was also a link where you can access the site without a password. Those. too lazy to remember the password? There he is! Too lazy to introduce it? Click on the link!
PS I'm not paranoid. But it seems to me that this is already too much. I wanted to discuss sending mail passwords as a phenomenon.
PPS Could not post to the "Information Security" blog. I do not know why. A habr knows, but does not say: "Some error ... We know ..."