Pet Peeve: Don’t email my password to me in plain text

29 Jun 2008

You know the drill.

1. Signup for some random service on the internet
2. Receive a confirmation email with your account information

or

1. Forget a password for some random service on the internet
2. Receive an email with your current password

In today’s day and age, I’m not aware of any good reason why we (the services) should be transmitting user credentials (namely their passwords) in an email. The HBC Run For Canada site was the latest example I ran into. If I go to the bank and tell them I’ve forgotten my PIN, are they going to verify my identity and just tell me my old pin or require me to specify a new pin? I suspect the later.

Bearing in mind that I’m slightly more technical than most people but I don’t expect any service to store my password in plain text let alone be able to provide it to me on-demand.

We’ve already got infrastructure for single-use reset password URLs, hints, etc. so let’s use them uniformly. Nothings perfect but depending on your particular audience, something like OpenID could very well be a nice solution to end-user authentication.