Comments for Why won't services just email me my password instead of making me set a new one?

Comment from Toy Trumpet on 2011-11-21

2011-11-21T17:46:42Z

There is a site called http://plaintextoffenders.com/ which names and shames this type of password insecurity.

]]>

A comment on: Why won't services just email me my password instead of making me set a new one?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from john on 2010-08-10

2010-08-10T16:45:28Z

That's really interesting and well explained. Thank you. But I'd be interested, and grateful, if you could take it a step further and explain what is going on with those sites (mostly banks, I find) that ask for (say) the 3rd, 5th and 10th character of your password, which cannot generate the same hash as the full password.

I've never seen that, however: it could be that they're storing your password (which would be bad), or perhaps when you set your password they save the 3rd, 5th and 10th characters only for later comparisons. That doesn't store your password, but it also doesn't compromise a sufficiently strong password either.

14-Aug-2010

]]>

A comment on: Why won't services just email me my password instead of making me set a new one?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from James on 2010-08-02

2010-08-02T16:14:46Z

"They don't know your password, they didn't store your password, and they couldn't tell you if they wanted to."
I have been saying to anyone who'd listen, probably for 30 years, that this ought to be true. But to my consternation I've recently had proof that it isn't, because www.guardian.co.uk actually emailed my password to me.

Admittedly, this is a free registration site, and doesn't claim to be secure, but that's not much of an excuse.

So Hey, let's be careful out there!

Yeah, there are sites that do, and as I said in the article - if they can mail you your password, they're doing security wrong. (I had one emailed to me just yesterday from aother site. Sigh.)

03-Aug-2010

]]>

A comment on: Why won't services just email me my password instead of making me set a new one?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from pentester on 2010-07-27

2010-07-27T22:52:26Z

[" Had the passwords not been stored, but instead a hash used, then the hacker would have next to nothing."]

I beg the differ ... It is a one way street in so many ways yes, but so many it isn't. Depending on the power of you computer, the size of your rainbow tables, and the willing time, cracking 80% of a password database could be done within a few weeks. The 1st day would weed out approx. 50% due to the week dictionary passwords that a simple dictionary attack could crack.

Which is why random unique passwords are so critical. They won't be in the tables.

29-Jul-2010

]]>

A comment on: Why won't services just email me my password instead of making me set a new one?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Carl R. Goodwin on 2010-07-27

2010-07-27T15:25:50Z

It probably took longer to write the question than it would have to just reset the password!!!

]]>

A comment on: Why won't services just email me my password instead of making me set a new one?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.