Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Emailing Passwords? In 2020?

by punklrokk (Scribe)
on Aug 18, 2020 at 00:49 UTC ( [id://11120861]=monkdiscuss: print w/replies, xml ) Need Help??

Hey Monks,
So, it's been awhile. On a whim I came here and tried to login. I had to reset my password.
Now, I know this is not really a super secret space and nobody is going to get my credit cards, but can I implore the site admins here to not email me my password via email.
Hopefully I don't need to get into why, but I'm willing to explain if needed.
JP (punklrokk)

Replies are listed 'Best First'.
Re: Emailing Passwords? In 2020?
by afoken (Chancellor) on Aug 18, 2020 at 18:39 UTC

    It's been ten years ... - Pants are still down, 11 years later. No one cared to fix the basic problem, a database full of plain text passwords without hashing and salting, and a password recovery mechanism from the age of the dinosaurs.

    If perlmonks wasn't that useful and entertaining, I would simply disable my account and search for some other place.

    So the second best thing to do is to follow the advice of LanX from Re^2: It's been ten years ...:

    Best is to stick with a randomly generated password and to store it into your browser or password manager.

    And of course: Don't use that nearly-public perlmonks password for anything else.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

      This is one symptom of a much bigger problem...

      This entire site is incredibly archaic and shows no sign of anyone with the power to change that caring. That is slightly concerning in itself but, as one of the main sites of Perl wisdom, it reinforces the opinion of many that Perl itself is archaic, outdated and unnecessary.

      Surely here should be a showcase for all the wonderful things Perl and its programmers are capable of in the modern world.

        The site is written in a fork of everything2, which isn't exactly modern. Modern frameworks such as Mojolicious have far lower barriers for participation, and represent what can be achieved with the modern internet. If I had the spare time I'd volunteer to work on some progress in this area.

Re: Emailing Passwords? In 2020?
by LanX (Saint) on Aug 18, 2020 at 05:04 UTC
Re: Emailing Passwords? In 2020?
by perlfan (Vicar) on Aug 18, 2020 at 04:42 UTC
    I'm more concerned about this restriction on password leng†h, in 2020: Note: Ten (10) characters max!
Re: Emailing Passwords? In 2020?
by harangzsolt33 (Chaplain) on Aug 18, 2020 at 20:37 UTC
    The truth is nobody cares what your PerlMonks password is. There isn't any sensitive information in this site that should be guarded like gold and diamonds. If you're afraid that someone is going to steal your rank or take over your account and pretend to be you, enjoying your Pope status or whatever, then you take this whole thing too seriously.

    If you use the same password to your bank that you use here on PerlMonks, then that's your problem. You shouldn't do that. That's a big no no. That should be taught in Computer Class 101. Seriously. If you use the same password to any site, that's like leaving your car keys in the car while you go into a grocery store for shopping. Don't be surprised if someone steals your car. You're making it too easy for the robbers. The store isn't going to be held accountable if someone steals your car from the parking lot. Same here. If someone breaks into your bank account or email or Facebook, because you use the same password, that's your problem. The PerlMonks website is used by students and professionals and hobbyist programmers like me. If anyone is a programmer or pretends to be one and doesn't know that he shouldn't use the same password for two websites, then that person shouldn't be a programmer yet. We need to take his programming license away. LOL

Re: Emailing Passwords? In 2020?
by AnomalousMonk (Archbishop) on Aug 18, 2020 at 01:15 UTC
    ... [don't] email me my password via email.

    How should your password be emailed to you?


    Give a man a fish:  <%-{-{-{-<

      A password reset link should go out at the bare minimum. The original reason that sites stopped sending passwords out is that an attacker the got control of an email account now potentially has a password that may be reused elsewhere. Things like not allowing the last N passwords as well as complexity requirements are considered par for the course these days.

        I don't think that's the original reason. It's more that email is an insecure medium in general. SMTP, POP3, IMAP, etc don't always use encrypted connections. It's becoming more common to encrypt them for the first hop and last hop, but end users have no control over the security of their message as it travels server-to-server. A man in the middle can easily inspect or even alter the contents of the message.

        Sending passwords by email also has a worrying implication — it means that the site knows what your password is. Passwords should be hashed. A website shouldn't be able to send you your original password because it shouldn't know what your original password even is. Unix got rid of plain text passwords in 1973; this has been a well-known security principle for longer than many of us have been alive so there's really no excuse for still making this mistake.

        (PS: for what it's worth, I don't think AnomalousMonk was disagreeing with you, just pointing out that "email XYZ via email" is a tautology.)

      In a plain, brown envelope. :-)
Re: Emailing Passwords? In 2020?
by Anonymous Monk on Aug 19, 2020 at 13:24 UTC

    I, for one, don't have any problems with that!

    On a more serious note, I do - when I take a step back from playing the good anonymonk - but I don't consider it serious enough.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://11120861]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2024-03-19 08:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found