topic Newbie: Like the features but why does O2 email passwords in Discussions & Feedback

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 01:00:00 GMT

I am a newbie O2 customer.
I like the possibilities of bluebook, the forum etc.

However. I noticed to my dismay that O2 starts emailing readable paswords all over the place. I think that is very bad practice.

http://www.thebitmill.com/articles/password_email.html and many others agree.

Can something be done about this??????

Re: Newbie: Like the features but why does O2 email password

Anonymous — Wed, 03 Feb 2010 09:03:16 GMT

I am a newbie O2 customer.
I like the possibilities of bluebook, the forum etc.
However. I noticed to my dismay that O2 starts emailing readable paswords all over the place. . . .

Where do they email passwords "all over the place"? Care to explain what you mean by that ?

Re: Newbie: Like the features but why does O2 email password

Anonymous — Wed, 03 Feb 2010 10:37:55 GMT

a. O2 should not be emailing any passwords, you should be abl to reset passwords, not send them.
b. If you register: a. your phone, b. for bleubook c. for forum you get, at least, three emails with readable passwords. This is bad practice & not in the interest of your customers.

Where do they email passwords "all over the place"? Care to explain what you mean by that ?

Re: Newbie: Like the features but why does O2 email password

Anonymous — Wed, 03 Feb 2010 11:16:56 GMT

a. O2 should not be emailing any passwords, you should be abl to reset passwords, not send them.
b. If you register: a. your phone, b. for bleubook c. for forum you get, at least, three emails with readable passwords. This is bad practice & not in the interest of your customers.

Where do they email passwords "all over the place"? Care to explain what you mean by that ?

They're not my customers, we are all O2 customers.
What you say would be true if further identity/security details were not asked for. eg. When you register for a Pay as You Go online account a verification code is sent to the handset.
As for the forums, they are not run by O2 and there is no link to your O2 account. If someone intercepted your email, the worst they could do is post under your online identity. However, they could do that anyway, if you don't log out.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 11:55:41 GMT

I understand your desire to hear or receive your password from someone when you lose it. It sounds simple: I lose my password, ask for it and then receive it.

Unfotunately it is the question that is wrong. You should never be able to read a password, let alone send it from a system. If you type in a nw pasword it should only be stored in an ncrypted form (you can easily look up how Windows servers do this). If you are asked to confirm a password, only the encrypted version of it should be compared to the encrypted version of it that is stored somewhere safe.
If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....".

The policy is very simple and is deployed and used in many systems. If you work on a LAN it is highly likely that nobody will be able to tell you your passord from a system (if you have told or emailed them your password yourself this is a different matter of course).

If you are storing emails with the history of your passwords of various systems than that is a security risk. Life is full of risks, and this one is well intended. If you search for "password" in your emails and delete all emails that have a readable password in them you would be a lot safer. The systems that you forget passwords for should have alternatives for peole who forget them.

O2 should drop the bad practice of emailing passwords because it exposes their customers to more risk than should be acceptable. O2 should adhere to known industry good practice in the interest of their customers. It should not have to be very expensive and it would reflect positively on O2.

A lot of shoulds in there, I know.
cheers.

Last time I forgot my password and it was 18 months ago, it was sent in clear text in an email.
The article says it's not good yet doesn't mention any decent alternatives. The most common I've come across is the web link to change. Problem being if you are on a browser that doesn't support the website it's a pain and I'm talking mobile devices here. Amusingly, the easiest way I remember is by keeping hold of emails as I forget the password to the password locker program I have!
Not an easy subject really to come up with any decent answer to the best policy. Believe me, in my job, I have to use strong passwords across multiple applications and I hate trying to come up with a new one every so often. Also comes down to what we want to tolerate.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 12:37:59 GMT

"Working on" as in creating/developing/programing or as in using?

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 12:58:37 GMT

If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....".

Unless you're referring to passwords I can't find, this is exactly what the response from o2 will be.
This forum (which isnt run by o2) simply runs a slightly customised phpbb install, which uses a modified flavour of md5 hashing to store passwords > passwords cannot be retrieved, and if you forget your password the password is simply reset to a new default value that gets sent to you before being hashed into the system.
Bluebook will not send you a password, if you use the lost password function it asks you to verify who you are (by comparing username to mobile number and sending a test message to the number which then requires a verification code be entered, and then requesting a further piece of security info) - After providing these you're directly prompted to enter a new password, which then is not emailed to you. The same function seems to exist on the main o2 site. The fact that in both cases the password is directly reset rather than provided to you suggests that the passwords most likely are, in fact, stored as hashes at o2's systems.

Newbie: Like the features but why does O2 email passwords

perksie — Wed, 03 Feb 2010 15:21:10 GMT

If I am sent a password in this way, I log into my account and change it.

Seems the simplest and most logical thing to do.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 17:23:16 GMT

As long as there are other security features incorporated into changing your password, then sending a new one by email (open as it is), there is no real issue (and I have worked in security).
As said already, if you have another form of security, ie password/name of dog/cat/rabbit etc so you have to change your password before logging on (normally done during setup of account) then its far better, if its just an email and straight in, then no.

Text messaging to your phone is one idea but is slightly flawed as depending where it goes (2G for example has an unencrypted air interface to your handset) then your subjecting yourself to further open breaches, 3G is fully secure though and encryped, along with the network.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 21:27:47 GMT

If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....".

Unless you're referring to passwords I can't find, this is exactly what the response from o2 will be.......

I observe that O2 sends me my password just after I register. That is bad practice. O2 should not ever be emailing passwords. It is not necessary.

The rest (changing passwords etc. etc.) may be better. But it is not relevant for the initial observation.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 21:36:20 GMT

If I am sent a password in this way, I log into my account and change it.
Seems the simplest and most logical thing to do.

It is bad practice to email passwords.

One previous answerer already ibndicates he collects the emails because he sometimes forgets them. Theregister.co.uk has an article today on how many users use one password for all their accounts (financial and non-financial). Do you suggest that if you use the O2 forum or register your phone and use a password that you must go to all accounts that use that password? It is much easier to stick to good practice and not email passwords in the first place.

Simple fact remains: passwords should not be sent. There is no need.

Newbie: Like the features but why does O2 email passwords

perksie — Wed, 03 Feb 2010 21:40:27 GMT

Better head to the O2 Complaints Review Dept. then.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 21:43:29 GMT

As long as there are other security features incorporated into changing your password, then sending a new one by email (open as it is), there is no real issue (and I have worked in security).
As said already, if you have another form of security, ie password/name of dog/cat/rabbit etc so you have to change your password before logging on (normally done during setup of account) then its far better, if its just an email and straight in, then no.
/quote]
I do agree that there should be a process to ensure someone is who he/she claims to be when someone wants to change their password. This may, of course involve exchanging other information than the password.

I disagree on that it should be OK to email passwords. Can you explain why this should be necessary? It exposes the customer/user to unnecessary risk. If you disagree that it is bad-practice I would like to hear some arguments.

cheers.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 22:05:55 GMT

I disagree on that it should be OK to email passwords. Can you explain why this should be necessary? It exposes the customer/user to unnecessary risk. If you disagree that it is bad-practice I would like to hear some arguments.

It doesn't expose the customer to any realistic risk at all - If you don't want the email hanging round containing it's plain-text password, delete it, the copy of the password that's sent via email is the only plain-text copy that exists as when the email is sent the password then gets hashed into the database from which it is then irretrievable (leaving aside the potential use of a weak hashing method).

Compound this with the fact that it's only "bad practice" when the user themselves specify a password they use in countless other places (user's own fault, if you're using the same password on a forum as you use for financial logins you have far bigger security problems than a password being sent to you in an email that you can then delete and the only plain-text copy of which is gone forever, anyway) and even then you have a "risk" that's tiny, as the plain-text password is still only sitting in the user's own email account.
Before you bring up the subject of interception of the email or the user's download of the email I note you don't seem to have a problem with the fact that the O2 forum, much like almost every forum on the planet, uses plain http for the signup page, so the password is just as interceptable when you submit it in the first place. More so in fact, as HTTP data is logged in all kinds of places as a matter of course, ESMTP message content is not.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 22:26:55 GMT

I do not think that requiring the users to delete emails should solve the bad-practice of sending passwords in email.
I do not see any explanation on why sending passwords should be necessary. Can you explain that?
cheers

I disagree on that it should be OK to email passwords. Can you explain why this should be necessary? It exposes the customer/user to unnecessary risk. If you disagree that it is bad-practice I would like to hear some arguments.

It doesn't expose the customer to any realistic risk at all - If you don't want the email hanging round containing it's plain-text password, delete it, the copy of the password that's sent via email is the only plain-text copy that exists as when the email is sent the password then gets hashed into the database from which it is then irretrievable (leaving aside the potential use of a weak hashing method).
Compound this with the fact that it's only "bad practice" when the user themselves specify a password they use in countless other places (user's own fault, if you're using the same password on a forum as you use for financial logins you have far bigger security problems than a password being sent to you in an email that you can then delete and the only plain-text copy of which is gone forever, anyway) and even then you have a "risk" that's tiny, as the plain-text password is still only sitting in the user's own email account.
Before you bring up the subject of interception of the email or the user's download of the email I note you don't seem to have a problem with the fact that the O2 forum, much like almost every forum on the planet, uses plain http for the signup page, so the password is just as interceptable when you submit it in the first place. More so in fact, as HTTP data is logged in all kinds of places as a matter of course, ESMTP message content is not.

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 22:56:19 GMT

Why is there an issue with emailing passwords? I cannot really understand it, is it because you believe they are easier to be hacked and stolen from the database on O2's end? Or somebody hacking your email and reading all your passwords in your inbox?

In my opinion, if it is the 1st reason then I wouldnt know what to think as the chances of that happening are probably extremely slim and if it is 2nd reason, surely every user has a responsibility for their own security as well and a simple delete is easy if you are worried about this. And with O2, they have extra security questions so this person who hacked your email would need alot of extra information about you to have the password resent in an email?

Newbie: Like the features but why does O2 email passwords

Anonymous — Wed, 03 Feb 2010 23:04:37 GMT

I do not think that requiring the users to delete emails should solve the bad-practice of sending passwords in email.
I do not see any explanation on why sending passwords should be necessary. Can you explain that?
cheers

The reason is perfectly simple, Joe home user doesn't employ proper password security anyway, which will result in one of two things:
1) the user will supply their common password that happens to be shared with a number of other sites, which means they will already have messed up as they provided the password to the forum via an unsecured connection in the first place - Receiving the password via an email then deleting it because they know the password doesn't provide any significant further security failing than using a shared password, and using it over an unsecured connection, in the first place.
2) The user will have the partial sense to use a non or only semi re-used password, but then when they check their bill or the forum every few weeks they constantly forget the password. The user could reset their password every sinlge time to a new value, but users are lazy so this won't happen. What will happen, is theyll have this password stored somewhere in viewable format. If it wasn't in an email from o2, it'd be on a piece of paper or a text file on the user's computer, both of which are less secure than in a further passworded email account.

Thus, o2 is giving a choice. If you're a dumb enough user that the password must be stored and know nothing of encrypted containers (ie 99% of users) then the password being stored in a passworded email account is the safest place for it, it's safer here than it was being transmitted in the clear via http to o2 (or any other forum) in the first place. If you don't need to store the password, then you can just delete the email, and all trace of the unhashed password is gone.

Newbie: Like the features but why does O2 email passwords

Anonymous — Thu, 04 Feb 2010 16:55:00 GMT

I do not think that requiring the users to delete emails should solve the bad-practice of sending passwords in email.
I do not see any explanation on why sending passwords should be necessary. Can you explain that?
cheers

You could always post it

A single password sent via email to enable you to log onto the main screen on a multi protected account (ie other methods of protection that were setup originally with the account) means absolutely nothing to anyone, unless you know the rest of the account details then its just a word or normally a group of characters, your then meant to log in, be given a series of other questions that you set up and then log into your account, if your then stupid enough not to change your password, well thats user error.
It is also very hard to intercept one single email out of billions that fly around, and its usually due to lack of computer security that lets people access your account (be it via malware or being hacked) in the first place, ie the user.

If you have any really good ideas of how to send it securely (please dont say text message, I have 1 really serious point about that) then go for it

Newbie: Like the features but why does O2 email passwords

Anonymous — Thu, 04 Feb 2010 18:19:31 GMT

I do not think that requiring the users to delete emails should solve the bad-practice of sending passwords in email.
I do not see any explanation on why sending passwords should be necessary. Can you explain that?
cheers

You could always post it
A single password sent via email to enable you to log onto the main screen on a multi protected account (ie other methods of protection that were setup originally with the account) means absolutely nothing to anyone,
If you have any really good ideas of how to send it securely (please dont say text message, I have 1 really serious point about that) then go for it

I appreciate the sense of humour in the winks. But the issue remains the same:
a. Sending passwords in emails is Bad Practice. Your assertion that an emailed password means nothing to anyone is a phallacy.
b. You do not explain why you want to argue that it is necessary to send passwords (which it is not), But you boldly ask "if you have ..ideas of how to send it securely"... My simple answer is: It (i.e. passwords) should not be sent at all. If you think that emailing passwords is necessary: kindly expain why?

cheers

Newbie: Like the features but why does O2 email passwords

Anonymous — Thu, 04 Feb 2010 18:26:36 GMT

Why is there an issue with emailing passwords? I cannot really understand it, is it because you believe they are easier to be hacked and stolen from the database on O2's end? Or somebody hacking your email and reading all your passwords in your inbox?
In my opinion, if it is the 1st reason then I wouldnt know what to think as the chances of that happening are probably extremely slim and if it is 2nd reason, surely every user has a responsibility for their own security as well and a simple delete is easy if you are worried about this. And with O2, they have extra security questions so this person who hacked your email would need alot of extra information about you to have the password resent in an email?

Hi Supergtaz:

There is an issue with emailing passwords. It is Bad Practice.

Google on "emailing passwords bad practice" and you'll find many referencs.
One clear one I like is http://www.techconsumer.com/2008/02/11/bad-form-companies-still-sending-my-passwords-via-email/

at the start I also mentioned this source

http://www.thebitmill.com/articles/password_email.html

cheers.