I recently changed my password to access my Dreamhost account panel. Not that I needed to, but it's important enough to change it regularly. Then I didn't log in for 2 months, and just last week I had to but couldn't remember the
exact one. Went through the forgot password process, waited for the email and then I went 1/3 puzzled, 1/3 freaked out, 1/3 angry.
There it was my password. My *exact* password. Just as I typed it. Couldn't believe it. Dreamhost, top 10 in hosting companies in the world, is storing plain passwords (or storing them with a 2 way algorithm, which is pretty much the same). Oh boy.
That is just plain wrong. No amount of stupid calls to support saying "I can't get my new password to work" justify something like this. I know we all trade security for comfort here and there, but this is over the line. It really is.
Why would I trust DH employees? There are corrupt policemen, corrupt judges, corrupt school teachers,... do you think the companies you work with are the exception? Somewhere, sometime, you are going to find an incompetent or a bastard. I only use that password for that panel, but tons of people don't, they use the same one everywhere. Guess what?
DH got cracked and bad people got access to users' passwords. Once you get them, go to the email provider, login with the password and
BAM! you are in control of somebody else's life. It happened to
Christian van der Henst, he lost control over his GMail account and spent a couple of funny weeks to say the least.
If you are a developer, store the passwords encrypted salting them with a long-fat key. Do you really want the responsibility of keeping that information safe FOREVER? When you backup your server, do you keep that data safe? How safe? Where? In an external drive? CDs? Are you telling me that you are OK storing the email + plain password of your users knowing that the information you keep could cause A LOT of trouble in the wrong hands?
Planetaki, I'm looking at you!
This is my preferred method:
* Click on lost password. Enter email. Click Send.
* Email arrives with link to special page where you can set up a new password.
Please note that the password hasn't changed yet. The user must have the option to ignore the email in case someone has been messing around with the system.
vi.vu, I'm looking at you now!
* User follows link and lands in a form to set up the new password. Previous special link is not valid any more.
* End of story.
If that's the case, I'm not worried as a user because I know that if they make a security mistake or get cracked by whatever the reason, no information is compromised. Likewise, I'm not worried as a developer because I'm not putting anybody at risk.
Recommended lecture:
You're Probably Storing Passwords Incorrectly.