Skip to main content

The shock of seeing your password in clear text

Posted by zarar on August 22, 2006 at 5:50 AM PDT

A sick feeling encompasses my soul, a wretched sickness comes over me as I sit there staring at this violation of even the simplest of courtesies. I examine it closely and sure enough, it is there, in clear text mocking me, laughing at me, just as I had typed it - letter for letter, digit for digit. No sense of regard showed on the part of the offender, in this case XDoclet's JIRA.

password-o-meter.jpgSo hard have I worked to come up with a word at least eight characters long, containing a digit, an uppercase letter, a symbol and one that I won't forget and you have to ruin it all by sending it to me in clear text over email? Especially even when the password-o-meter told me I had chosen a great password. Why, I ask, Why?

The first thing that comes to mind is that this sacred phrase is most likely stored in a cheap MySQL database without being md5'd. This alone is enough to warrant public execution but I'll let this pass as we live in times where acts of such vileness are tolerated. Who has access to my sacred word? Well, in this case it's the JIRA admin. I know he's (she's?) sitting there on those lonely nights just going through the list of the poor souls he has seduced into supplying him with the key to their lives. I've also been naive (stupid?) enough to supply the same password I use as for my email, youtube, home computer and most importantly bank. Yes, it is my fault, I have shown too much faith in common technology courtesy and will be punished for it by the JIRA admin finding out all about my porn stash.

My best judgment on why these sites don't encrypt passwords is because a) they're lazy, b) they don't know how, c) they want the user to have a copy of the password in case they supplied a really made-up one and will forget it instantly. Let’s give them the benefit of the doubt and say its c). Even in this case you HAVE to encrypt the damn password for database storage or at least ask the user on the sign up form whether they'd like their password mailed to them in clear text or not.

Listen, I don't have much going on in life and by no means will the person who knows my bank password be at a great advantage but it's still absolutely wrong to a) store such info in clear text for anyone with database access to see and b) to send it in an email which can be easily compromised. I've never been a JIRA admin so I'm not too sure if there's an option to use encryption or not but I'd be shocked if there weren't considering one has to open their wallet to use it.

So for next time let us all agree to be careful with passwords for the sake of internet privacy:

Related Topics >>