January 17, 2017

You’re Doing It Wrong: Passwords in Plaintext

back to news

Customer:  I forgot my password.

Website:  No problem! Here’s your new password via email — fully visible for your convenience!

Oh, the pain. The pain.



There’s so much wrong here.

If a website sends you a password in plaintext, it’s okay to cringe. The good news is that it may not be completely terrible. If it’s a one-time password (i.e., a temporary password), that’s sort of passable, especially if it comes with an expiration date. (A far better solution would have been getting a one-time link to click.)


However, if you’re emailed your real password in plaintext, that is completely terrible. Do not store any personal information on that site — credit card numbers, bank accounts, and passwords should be considered off-limits. And never use that password anywhere else.


Passwords are the most valuable bit of information you have. Something that valuable deserves respect. If a website is saving your password in plaintext, then your password — and you — aren’t getting the respect you deserve.


The links in this content are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.



This site uses cookies. By accepting cookies, you optimize your viewing experience. For more information, see our Privacy Policy.