Our company uses another company for time tracking, salaries, and so on. We use their web page for registering, and also for checking specification of salary and so forth.
The other day I found that I forgot my password, so I told them so. To my astonishment, I got a mail with my password, the very password I had forgotten.
Two thing bothers me with this. One: The fact that they know my password. Two: The fact that they mail it to me.
If they can retrieve my password, it is stored in a very unsecured way, in my mind, and I also find it dubious that they just mail it to me (instead of for instance, mail me a password I can use on a site which allows me to change my password to something only I know).
Do you agree with me that such a company should not be our provider of this kind of service?
I agree. at the very least, I would challenge them as to why they are doing this (my guess is that their systems will have been homebrewed by someone who either doesn’t care much about security, or simply lacks the skills to implement it.
If it’s staff and salary data, I’d say that needs to be secure. Really, if you implement any kind of password/login system, there’s no reason not to make it more secure, and no reason to have passwords at all unless you make it secure.
It smacks of bad practice bordering in incompetence, yes. Difficult to see why they don’t store hashes of the passwords (although people mess that up, too). I mean, these are not new concepts.
I work on Oracle databases. I can not see a user’s password. However if they forget their password, I can reset it with a one-time temporary password; email the password to their account on record encrypted; and give them one chance to change the password to something they will remember.
However even though I don’t know their password, I could ‘steal’ their account for a while and mess with it. However that kind of action is stored in auditing files at the operating system level where I could be caught. Of course if the DBA and Systems Administrator are in cahoots, there’s not much that can stop them. Therefore it’s good to hire people that you can trust and still have a lot of management oversight just in case.
As the OP said, it is disturbing that they knew the actual password especially as many people use the same password for other accounts.
Emailling the password isn’t all that bad especially if it’s encrypted and sent to an address on record. However if you can call up the help desk to say you forgot your password and could you please email it to xyz@zyx.com? That would be really easy for someone to hack. As i mentioned, we send a one-time password and make the user change it the first time that they log in.
Yes, it’s poor practice. Typically, passwords are only stored in an irreversible mangled form (called a ‘hash’). Nobody can unmangle them to get the real password back (but the site can mangle what you type at login, and compare that to what they’ve stored to make sure you did type the right password). That way, even if someone steals the stored password list they can’t log in as you.
So if the company can send you your current password, they’re skipping this step. You’re also right that it’s better practice when somebody forgets their password to immediately change it to a temporary one and tell the person the new temporary password. Not doing these two steps isn’t immediately breaking all security, but it is sloppy enough that I wonder what else they’re screwing up-- not just security, but in making good backups, accurate reporting, and all the other things that you’d like to see in someone you rely on for getting paid.
In fact, what I really wonder is how easy it was for you to convince them you really were the person whose password they sent, and if they let you tell them what e-mail address to use. Could you call up, say “Hi this is <coworker>. I forgot my password; please send it to officeprank321@yahoo.com” ? If so, well, I’ll let you decide whether to inform your management of the unacceptable security, dramatize the unacceptable security by changing the CEO’s timecard, or just use this power for evil within the workplace.
Yes, this is a sign of total incompetence. You should alert your company that they are outsourcing to a bunch of numbskulls. You should also report them to the Password Policy Hall of Shame.
You might check your state laws regarding the storage of HR information. I don’t know how technical they get, but many warrant at least some degree of protection.
But yeah, that company is not a trusthworthy one to store sensitive information with.
If security is important to you, find a provider that hashes and salts their passwords, and maybe one that also encrypts the actual data.
The problem with keeping the passwords in clear text is that if a hacker ever steals the database, they have a huge list of names, email address, and passwords. Many people use the same password in different sites, so hackers can use that info to try to break into your email, bank, facebook, amazon, etc. Think about all the websites which use email/pw for login.
However, everyone should assume that every website has bad internal security. You should assume that the account info, including passwords, are freely available and act accordingly. At a minimum, have unique passwords on every site you use. It’s even better if you can create unique a unique email address for each site. That way if a hacker gets the database, at most they have the login for that particular site. The password won’t work on any other site.
If you use Gmail, you can add a “+whatever” after your email name to create automatic aliases that end up in the same mailbox. That way, you can see who’s leaking your email address to spammers or hackers.