2

I created an online account on a website, they do not ask me for a password but just an email address, then, after acknowledging "terms of service" I was already logged-in.

Then I received an email with a password (ten characters like automatically generated password) and this advice:

Please note that passwords are case sensitive. [website name] handles sensitive information on behalf of some its members and other organisations. To help protect your data, we automatically assign secure passwords. To maintain this security, you cannot change your password and we have no means of retrieving lost passwords.

This was something I have never seen before and leave me with a lot of doubts about the trustworthiness of the website. I was expecting at least the capability to change the password.

update with more details: I did not realize immediately I was already logged-in and so I mistakenly logged out, but I was obviously without a password, so I clicked on their "forgot password" and then I had a look at my incoming emails: an older welcome email with the first password and a second newer email due to "forgot password". The password of the older email is working, the password of the newer email does not work. After all, they wrote

we have no means of retrieving lost passwords.

And they also add:

Please make sure you do not share your password with anyone. We recommend that provided you use a recent browser, you use your web browser's "remember password" function to provide ease of access while retaining password security.

Improve this question
2
  • 5
    "Trust us that we know how to handle your sensitive data properly. But, oh yeah, we have no idea how to code a basic password authentication mechanism. But trust us that we know what we are doing about the other stuff..."
    – schroeder
    Commented Jan 17, 2019 at 20:25
  • 1
    This sounds a bit like the password isn't just a password, but instead some sort of cryptographic key for the whole account. I've seen a few websites built like that.
    – grawity
    Commented Jan 18, 2019 at 9:03

1 Answer 1

Reset to default
4

You are right to be suspicious about this service.

The automatic login after account creation doesn't really bother me too much. The only reason it's not commonly used is that websites typically like to verify the email address in the case of an account needing to be reset, if you don't have a verified email, how can they do that reliably?

The bit of them sending you a password in plain text, is a very bad idea for a couple of reasons. First, if they send you the email with a password in it, it is very possible that that password can be compromised by a mitm as email is not encrypted by default. Second, if they are sending you the password, it is likely that they have stored it in plain text. Normally it is a bad idea to store passwords in plain text because people reuse passwords and when one site is broken into, the attacker can access all the other sites that password is used in. In this case I would think it would be less likely that the password you get assigned is something you would use with another site, but still possible (obviously don't do this).

If you can't change the password, I would not trust the website. If you can change the password, I would still be a bit skeptical.

Improve this answer
2
  • 3
    if they are sending you the password, it is likely that they have stored it in plain text. not really. They can generate the password, create the email, hash and store the password on the same process. Don't need the plain text password. But I agree with the rest.
    – ThoriumBR
    Commented Jan 17, 2019 at 20:23
  • 1
    Yea, I see your point, but I would bet that with an amateur sounding approach like this they probably overlooked some logs or data stores that are created by default. For instance the sent folder of the mailbox they are using.
    – MikeSchem
    Commented Jan 17, 2019 at 20:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .