Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But that has nothing to do with the fact that just because the site emails you a password doesn't mean that they store the password in plaintext. The catch here is that if they email the password upon the user having entered it (made an account or changed their password, or had password generated for them, ...). If user requests a lost password and it's returned in plaintext, then one can be sure that the password isn't being stored in proper way.

HN does this too, by the way. If you request a new password for an account, it's being sent in plaintext. No problem here, what comes to storing it.



No problem here? It goes through so many servers, unencrypted…


It's no problem, as long as it's a one-time-only password and has a limited lifetime (ideally only a day or so). It's similar to a password reset URL, which is also a password equivalent, but only usable once.

At least it's better than asking for your mother's maiden name.


Well, what would you do with an encrypted password sent to you by email? How do you propose to solve this? Using password reset links instead changes very little.


> Using password reset links instead changes very little.

Actually it changes a lot. Password reset links are one time only, and they get sent before you change your password. Mailing your password in plaintext after you've just changed it means it's good even if someone gets a hold of it months or years later. That's significantly worse.


Password can be one time password, too. Require user to change their password the first they login is not an advance feature.


Of course they can be, but that's not what we're talking about here. Please read the ancestor comments.


Odds are that you registered over plain HTTP anyway


How many servers does it go through? Mail in the real world, today, is virtually always source server -> destination MX server. There was once a fanciful era when occasionally offline servers passed off to various smarthosts, and this was the big fear about email, but that is no longer the case.

HN passwords are not high security. If we lose an HN account, not only can it be easily restored by an admin, it's really not a huge loss - start again. There doesn't need to be extreme practices.

Oh, you use the same password across sites? (which is the source of 99% of password security concerns). That is crazy, and you shouldn't do that. That's on you. (You being the conceptual person up in arms)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: