And people wonder why we have so many breaches
I just signed up for a cyber security newsletter with Mondaq, the big British publisher, and I got a confirmation email back after the signup. I get those all the time, so I didn’t really look at the email until later.
Two things stand out in the email —
First this:
To choose your personal News Alert topics and region click here:
http://www.mondaq.com/go.asp?u=mitch@tanmann.com&p=***************&n=1
For those of you who are not geeks, the &u= is my userid, the &p= is my password. I put the stars in there instead of sharing my password with everyone. 🙂
Of course, this came in unencrypted email.
The second is, later in the same email:
Your user details are below:
Username: mitch@tanmann.com
Email Address: mitch@tanmann.com
Password: ***************
Please ensure that you keep this information for future reference.
Besides the obvious security breach of sending my password in clear text in an unencrypted email, it also means that they know what my password is (most web sites either encrypt or hash your password in a way that no one, even them, can decrypt. Then when you send your password the next time to log in, they encrypt or hash the new password and compare the encrypted or hashed values. That way, they never have to know what your password is. Apparently, the folks at Mondaq have never heard of that concept.
I assume these guys are smart. They are just trying to make things easy for their user and have no thought of the security impact doing this.
ARGH!!!!!
Mitch