Account passwords in auto response emails from HG!

[Heimdol]

Account passwords are being included in your auto responder emails and they are in plain language not scrambled at all. This is not secure. I'll have to change my password every single time I do any emailing with Hostgator if it stays like this. Was this intended?

BTW it's the auto response email for billing@hostgator.com that is doing it.

[striddy]

Quote:

Originally Posted by Heimdol

Account passwords are being included in your auto responder emails and they are in plain language not scrambled at all.

And how would you prefer they email you the passwords?

Passwords from any site you join on the web are always sent in plain old email.

[Kris Siegel]

See my response to this here: http://forums.hostgator.com/showpost...11&postcount=3

Most secure websites do not send your password unecrypted in an e-mail. In fact, to be properly secured a company needs to hash all passwords so it's not possible for them to get any of them.

[striddy]

Quote:

Originally Posted by Kris Siegel

See my response to this here: http://forums.hostgator.com/showpost...11&postcount=3

Most secure websites do not send your password unecrypted in an e-mail. In fact, to be properly secured a company needs to hash all passwords so it's not possible for them to get any of them.

I have never received encrypted passwords from anywhere by email.

[mack]

As soon as I get it, I log in and change the password. Don't really see what the big deal is.

[Kris Siegel]

Quote:

Originally Posted by striddy

I have never received encrypted passwords from anywhere by email.

You wouldn't receive an encrypted string if that's what you're thinking. There a ways an e-mail can be sent over an encrypted connection but really the password should not be sent via e-mail.

[striddy]

Quote:

Originally Posted by Kris Siegel

You wouldn't receive an encrypted string if that's what you're thinking. There a ways an e-mail can be sent over an encrypted connection but really the password should not be sent via e-mail.

Yes I realize you can send email with encryption. Many medical companies, doctors and hospitals I work for have these facilities. Everyone has each others encryption keys. But this is on a different level.

Email as we all use it is insecure but can you imagine the support issues if we all started encrypting emails. Don't forget the person receiving the email needs to decrypt it as well.

How would you suggest it be done?

If you feel it's not secure, just do as Mack suggested and change it when you get it. We all change our passwords regularly anyway. Don't we??

[gwyneth]

Quote:

Originally Posted by striddy

Quote:

Yes I realize you can send email with encryption. Many medical companies, doctors and hospitals I work for have these facilities. Everyone has each others encryption keys. But this is on a different level.

Email as we all use it is insecure but can you imagine the support issues if we all started encrypting emails. Don't forget the person receiving the email needs to decrypt it as well.

How would you suggest it be done?

If you feel it's not secure, just do as Mack suggested and change it when you get it. We all change our passwords regularly anyway. Don't we??

striddy and mack aren't stressing this enough: when you get a password via email, you should always change it immediately, even if the sender overlooked the crucial phrase "temporary password". Some security gurus think that's far more important than crypting up such a password, anyway.

[Heimdol]

I don't think you guys understand. I wasn't asking for my password I was inquiring about something totally different yet each email response I received had my password in it. This is not secure.

Sure if your requesting your password because you lost it or forgot it then fine they should send you "one" email with it in there but they are sending it in every email from the auto responder system no matter what your emailing them for. Thats the issue!

So my suggestion is, they need to stop doing that.

[mikesmithfl]

I know this is a bit late, but:

A recommendation on how to communicate a password to a customer:

Include a link in the message to a secure page that requires a login using either the recipients original password (kept secret, not in the message) or a temporary _alternate_ password (not the original) that is included in the message, along with a couple of ident/verification questions. The answers to those questions having been stored in the system previously by the intended recipient. The alternate password will ONLY work with the page linked to within the message, and expires within a prescribed period of time.

It's part of what is commonly referred to as pro-active, but what used to be called "planning ahead". (comment: I think the new P.C. words stink and are ineffective)

And yes, they DO need to stop doing "that" ("that" being sending plain text passwords via email, or for that matter, being ABLE to send passwords via email...)

[softwarecandy]

Quote:

Originally Posted by Heimdol

I don't think you guys understand. I wasn't asking for my password I was inquiring about something totally different yet each email response I received had my password in it. This is not secure.

Sure if your requesting your password because you lost it or forgot it then fine they should send you "one" email with it in there but they are sending it in every email from the auto responder system no matter what your emailing them for. Thats the issue!

So my suggestion is, they need to stop doing that.

I totally agree with you. See my own posting regarding this issue:

http://tinyurl.com/5cjv8n

Sending a customer his/her password when not requested, is amateurish at best and borders with negligence. I am really surprised that:

• Given the excellent technical ability that the HostGator staff demonstrated to me so far, HostGator continues for some reason to email unsolicited passwords.
• No one from HostGator has commented on this issue either in this thread or my original thread.