March 1st, 2013
I do not claim to be one of the great experts in password security. I know a thing or two about stupid passwords, as I had to reset people’s passwords occasionally when I worked for an ISP. Everyone wants a stupid password. That’s old news.
Today I had forgotten a password for a site I use. I used the forgotten password link and they emailed me a new password. All well and good. Like most email based resets, they urge you to pick a new password upon logging in successfully. After all, they just sent an unencrypted email with the password in it. It’s not very secure. So, dutifully, I go to reset the password and find a single blank to enter it, which did not disguise the characters once they’d been entered (admittedly a bit silly). What does the site do then? Why it emails you confirmation of the password change with your new password in a fresh and equally unencrypted email.
Which I think somewhat misses the point.