You make a registration on a website, enter your own password, and... it comes to your email, in plain text. Well, that was a choice a developer made.
So, you are making a registration on ecommerce website, you fill in you own password inside a password field that obscure the real characters you are typing, submit the form and receive a confirmation email about your registration.
That email contains your new login and,weirdly enough, the same password you entered.
Isn't that nice that they tell you your own password you just entered?
What's the problem?
In the website's form, it's usually fine. You use input type="password", hopefully using HTTPS, therefore the only sides who know your password is you and the server.
Sending it to your email though, that raises a lot of questions and issues.
The most obvious is - your password travels through a whole lot of servers, devices and networks, which raises a potential leak. Is it encrypted the whole time? Nobody can really say with certainty.
Second issue is that you cannot see the password. In registration and login forms, we are used to just using that password typed input. My suspicion is that a lot of devs don't really know why, it's just called "password" so they use it. But now, suddenly, it's visible in it's full beauty so everybody in public, if you open the email that is typically super harmless, it's on display to everybody.
The correct approach to registration and passwords
You have two options.
- Generate a unique password, include it to the email with an encouragement to change it after first login (or even force it to change).
- Let user set up their own password, but then store it securely (salt-hashed, encrypted), validate against it, but never ever use it for any other purpose, never to show it. This one I prefer.
Think of where the password goes. Whenever you use it, what it does. The least hops, the least exposure, the better. Network nor emails are under your control, maybe secure and safe, maybe not.
Since we launched Grace Mail, I can see how many networks are not still secured, how many of them don't use TLS when passing an email.
Also, what does this say about the developers? Mistakes can be made, but this is a long running ecommerce platform handling orders, personal data and financial information.