46

I'm currently job searching, and sometimes I come across sites that are just huge databases full job postings, and before you apply you have to create an account. I came across a site, but I'm skeptical of its security practices.

When I found a job posting that I wanted to apply to it asked for my e-mail address, so I entered it. A pop-up asked for me for resume, and the usual contact information. I supplied want I needed to and I sent my application.

I noticed however, it used my e-mail address and created a user account without prompting me for a password.

Immediately, I was alarmed by this, so I checked my e-mail thinking that the site supplied me with a temporary password that it requires me to change, only to discover that I had to confirm my e-mail address and then be prompted to enter a password. From my perspective, I had a user account with no password for maybe 3-5 minutes.

Was I right to be skeptical? Should I delete my account?

Improve this question
9
  • 22
    This might sound like a silly question, but why do you want a password? You are posting a resume, which by most measures, is public information. (There are lots of reasons to want one, but I'm interested in what you are looking for).
    – schroeder
    Commented Jul 4, 2018 at 16:06
  • 1
    @schroeder - I understand what you're saying but I've never seen this password practice before.
    – user181505
    Commented Jul 4, 2018 at 16:09
  • 15
    @C0deDaedalus - Don't think that's a good idea. Especially given that if someone is aware of my e-mail they can ask for a password reset link and steal my information
    – user181505
    Commented Jul 4, 2018 at 17:04
  • 3
    Some applications procedures require a lot of sensitive information which I wouldn't like to be available to everyone.
    – styrofoam fly
    Commented Jul 5, 2018 at 12:34
  • 2
    @schroeder Presumably, the account allows you to edit the resume as well. I dunno about you, but I don't want anyone looking at my resume to be able to change my experience section to "Butts Developer at Butts Incorporate. Butts: Butts butts. (when I was born-present)". Whether or not that's actually possible is addressed by your answer, but it's a valid concern -- there appeared to be no authentication, which is extremely concerning.
    – anon
    Commented Jul 5, 2018 at 16:56

6 Answers 6

Reset to default
73

Just because you had not set a password, that does not mean that your account could be accessed. Without seeing the code, I cannot be sure, but it is possible that you could not log in to your account until you used the link in the email to set the password. You were still using the same session ID while you continued to use the site.

Improve this answer
12
  • 28
    "normal"? No. But I have seen it before.
    – schroeder
    Commented Jul 4, 2018 at 16:10
  • 16
    It all depends on how it is implemented.
    – schroeder
    Commented Jul 4, 2018 at 16:14
  • 54
    There is nothing inherently insecure about it.
    – Conor Mancone
    Commented Jul 4, 2018 at 16:15
  • 2
    I agree with @schroeder because when you click the link, which you get on the email, then it asks for Password. So, now you need to focus on "Is the link you got in the Email, is Predictable?" If it is then It is a bug.
    – Utkarsh Agrawal
    Commented Jul 4, 2018 at 18:17
  • 3
    I've seen setups where no permanent password was ever set up; instead, a one-time password was set by email at each login.
    – svavil
    Commented Jul 4, 2018 at 21:39
70

As a programmer who has created a user signup workflow like this I can assure you that there is nothing to worry about.

A little background info

When you enter your email, no user account is created (yes, you read it right). The email, link, expiry time and other details are stored. Once you verify your email and enter the password, a new user account is created.

After some time, if the user account is not verified all the information regarding the user will be deleted.

So, what happened here is that your email is verified before the signup process.

Why is this done?

We did this to avoid creation of fake user accounts. It also prevents someone from accidentally creating a user account associated with your email.

Now to answer your questions

Was I right to be skeptical? Should I "delete" my account?

There is no need to delete your account. This is an uncommon behavior but not a harmful one. It is just an added security measure.

Improve this answer
8
  • 3
    I worried about it for no reason because I've never seen that type of user registration before.
    – user181505
    Commented Jul 5, 2018 at 11:29
  • 1
    @Sveta I'll admit that we did not think that a user might get suspicious. Thank you too. From now on I try to include a message regarding this inside the website.
    – Kolappan N
    Commented Jul 5, 2018 at 11:36
  • 1
    Another potential way this could work (I have done this for other reasons in the past) is set a password which is randomly generated (obviously a complex one, 64 chars or whatever) and then upon email confirmation you basically reset the password.
    – Kyle Wardle
    Commented Jul 5, 2018 at 15:02
  • 1
    @Sveta that may of still happened, you just never saw the temp password. When you 'created' the account it could of simply replaced the old password hash with your new one
    – Kyle Wardle
    Commented Jul 5, 2018 at 15:57
  • 1
    I have seen this workflow from the Development side and in that case the account was not persisted in the account database until the user had confirmed their email address. If the email address wasn't confirmed within a set period then the pending account was deleted along with all Personally Identifiable Data.
    – pwdst
    Commented Jul 6, 2018 at 4:14
22

I noticed however, it used my e-mail address and created a user account without prompting me for a password.

This approach has to do with providing user experience with more convenience; they want your resume and details but they don't want to bother you with password guessing, so they just leave you with the choice to either take your time for setting your password or never comeback, after all they have your details.

If you use another browser or machine to upload your resume with same email, you will be probably informed that another account with same email already exists, still you or any other person can't access to that account without the link they sent to you.(but not necessarily as it depends on how they manage unique IDs)

Was I right to be skeptical? Should I "delete" my account? I say delete in quotes, because who knows if this will be done.

This approach is very common.
You don't have to delete your account, unless you have another reason.

Improve this answer
3
  • Agree with the good to-the-point explanation, however the phrase "very common on a couple of websites" seems somehow contradictory.
    – Pacopaco
    Commented Jul 10, 2018 at 3:54
  • @Pacopaco contradictory to what ?
    – elsadek
    Commented Jul 11, 2018 at 21:49
  • I understand "very common" in this context as "the approach is used in a lot of websites", whereas I understand "on a couple of websites" as "this approach is not used on a lot of websites" (note : Enlish is not my primary language)
    – Pacopaco
    Commented Jul 15, 2018 at 22:57
8

Important first point: unless they did something really dumb, an account without a password isn't a security risk. Instead, it would be normal practice that someone can't login to an account without a password. From that perspective creating an account without a password, emailing the user to confirm, and then having them set a password is no more or less secure then setting a temporary password. As a result there is no real security concern here.

Improve this answer
1
  • Thanks, I'm not concerned about the resume part, it's the password part that bugs me.
    – user181505
    Commented Jul 4, 2018 at 16:15
7

Think of it this way: the link that the e-mail provided you is, in a way, your temporary password. It is a "special" temporary password that lets you create an actual password.

Look at the link. Does it contain a long token / string? If so, (and if it is implemented correctly, which you can never be 100% sure of), then it is as secure as sending a literal temporary password.

Now, if the link does not contain a token and is a short, guessable URL, it might be using the session that you had established creating the account. If it is not doing that either, then the system is truly vulnerable since anyone would be able to guess said URL and change the associated account's password.

Improve this answer
1
  • I just had a look at it, and it does indeed have a long string. I just never seen this type of setup before. I'm always used to creating a user account with a username and password first before doing anything else.
    – user181505
    Commented Jul 5, 2018 at 13:33
1

I see no reason to delete the account.

  1. and created a user account ... I had a user account - How do you know it was really created? Have you tried to log in before confirming your email? May be there was no account created at all. May be it was created only after you confirmed your email.
  2. May be account was created but was disabled from the beginning on, until you confirm your email.
Improve this answer

You must log in to answer this question.