O2

a. O2 should not be emailing any passwords, you should be abl to reset passwords, not send them.
b. If you register: a. your phone, b. for bleubook c. for forum you get, at least, three emails with readable passwords. This is bad practice & not in the interest of your customers.

Where do they email passwords "all over the place"? Care to explain what you mean by that ?

a. O2 should not be emailing any passwords, you should be abl to reset passwords, not send them. b. If you register: a. your phone, b. for bleubook c. for forum you get, at least, three emails with readable passwords. This is bad practice & not in the interest of your customers. Where do they email passwords "all over the place"? Care to explain what you mean by that ?

They're not my customers, we are all O2 customers.
What you say would be true if further identity/security details were not asked for. eg. When you register for a Pay as You Go online account a verification code is sent to the handset.
As for the forums, they are not run by O2 and there is no link to your O2 account. If someone intercepted your email, the worst they could do is post under your online identity. However, they could do that anyway, if you don't log out.

I understand your desire to hear or receive your password from someone when you lose it. It sounds simple: I lose my password, ask for it and then receive it.

Unfotunately it is the question that is wrong. You should never be able to read a password, let alone send it from a system. If you type in a nw pasword it should only be stored in an ncrypted form (you can easily look up how Windows servers do this). If you are asked to confirm a password, only the encrypted version of it should be compared to the encrypted version of it that is stored somewhere safe.
If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....".

The policy is very simple and is deployed and used in many systems. If you work on a LAN it is highly likely that nobody will be able to tell you your passord from a system (if you have told or emailed them your password yourself this is a different matter of course).

If you are storing emails with the history of your passwords of various systems than that is a security risk. Life is full of risks, and this one is well intended. If you search for "password" in your emails and delete all emails that have a readable password in them you would be a lot safer. The systems that you forget passwords for should have alternatives for peole who forget them.

O2 should drop the bad practice of emailing passwords because it exposes their customers to more risk than should be acceptable. O2 should adhere to known industry good practice in the interest of their customers. It should not have to be very expensive and it would reflect positively on O2.


A lot of shoulds in there, I know.
cheers.

Last time I forgot my password and it was 18 months ago, it was sent in clear text in an email. The article says it's not good yet doesn't mention any decent alternatives. The most common I've come across is the web link to change. Problem being if you are on a browser that doesn't support the website it's a pain and I'm talking mobile devices here. Amusingly, the easiest way I remember is by keeping hold of emails as I forget the password to the password locker program I have! Not an easy subject really to come up with any decent answer to the best policy. Believe me, in my job, I have to use strong passwords across multiple applications and I hate trying to come up with a new one every so often. Also comes down to what we want to tolerate.

"Working on" as in creating/developing/programing or as in using?

If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....".

Unless you're referring to passwords I can't find, this is exactly what the response from o2 will be.
This forum (which isnt run by o2) simply runs a slightly customised phpbb install, which uses a modified flavour of md5 hashing to store passwords > passwords cannot be retrieved, and if you forget your password the password is simply reset to a new default value that gets sent to you before being hashed into the system.
Bluebook will not send you a password, if you use the lost password function it asks you to verify who you are (by comparing username to mobile number and sending a test message to the number which then requires a verification code be entered, and then requesting a further piece of security info) - After providing these you're directly prompted to enter a new password, which then is not emailed to you. The same function seems to exist on the main o2 site. The fact that in both cases the password is directly reset rather than provided to you suggests that the passwords most likely are, in fact, stored as hashes at o2's systems.

As long as there are other security features incorporated into changing your password, then sending a new one by email (open as it is), there is no real issue (and I have worked in security).
As said already, if you have another form of security, ie password/name of dog/cat/rabbit etc so you have to change your password before logging on (normally done during setup of account) then its far better, if its just an email and straight in, then no.

Text messaging to your phone is one idea but is slightly flawed as depending where it goes (2G for example has an unencrypted air interface to your handset) then your subjecting yourself to further open breaches, 3G is fully secure though and encryped, along with the network.

If you ask someone (helpdesk, manager or whoever) "can you give me my password" their answer should be "no, I cannot. You can reset your password in the following way.....". Unless you're referring to passwords I can't find, this is exactly what the response from o2 will be.......

I observe that O2 sends me my password just after I register. That is bad practice. O2 should not ever be emailing passwords. It is not necessary.

The rest (changing passwords etc. etc.) may be better. But it is not relevant for the initial observation.