Passwords in email

Dear web sites:

Please do not send me my password in plain-text in an email. My email is not necessarily secure. The protocols by which email is sent through the Internet are unencrypted. When you send me an email with my password in it, I delete it immediately. phpBB does it. So does Geni. Movember did it, too. There are only two cases when you should send me a plain-text password in an email:

  1. When I create an account, and you generate a password for me.
  2. When I tell you I forgot my password, and you generate a new password for me.

The fact that you even can tell me my password in plain-text indicates to me that your database is insecure. Anyone with access to it would be able to get everyone’s plain-text usernames and passwords. Please change your database schema to use a one-way hash to store passwords.


Redirect referer test

A web user is looking at page A. He clicks on a link for page B. That page has a META Refresh to page C. What is the value of HTTP_REFERER for that last request? What if the redirect was a Status 307? Or a location.replace() JavaScript call? What if he’s using Opera? I’ve been doing some redirect referer tests this week and I have results for some the most common browser/OS combinations. I hope to expand them further.