Sometimes after successful registration I receive an unencrypted e-mail that contain my login and my password in plain text. What's the point in securing the registration form if, a moment later, the credentials are being exposed badly, potentially giving access to the account?
What's more, if someone unluckily broke into my e-mail account he would get an extra gift - passwords to my other accounts.
As a result, my level of trust drops significantly. How do I know that they don't store my password in plain text? Hashing of passwords is such a basic thing...
Advice: Do not send passwords via (unencrypted) e-mail. Account activation link is enough.
Observed at: www.mojwzrok.pl and many other places...
There are countless amounts of sites that have such terrible security flaws.
ReplyDeleteI also hate that my bank sends me unencrypted summaries each month. I'd like to give my public PGP key to my bank so they could encrypt all valuable data sent to me.
On the other hand: while registering you get a confirmation request or at least a greeting. This mail can stay on your server for ages. This way anyone who hacks into your mail gets to know where you are registered. Even if that site sends "reset password" links, you're a toast.
ReplyDelete