[edmccaffrey]

> Anybody sending you back your password in clear text is also storing it that way in their database

Incredibly ignorant statement. If it's encrypted in a reversible format then it's not cleartext. If it's being sent in a confirmation email, then it could even be stored as a one-way hash: password extracted from the form, inserted into email, hashed and stored (This is what WordPress, for example, does).

A case can be made against both of those procedures, but that is a separate issue from his statement being ignorant.

[tptacek]

If the app can "reverse" the encryption, so can an attacker. The case against storing passwords this way is pretty strong.

[tedunangst]

If the key is embedded in the app and you don't keep the source on the server, reversing the binary (if the attacker even thinks to steal it) is enough of a hassle to deter most people. And maybe the attack only allowed them to copy the database.

It's not foolproof, but for stupid free websites (that's what we're talking about right?), storing encrypted passwords isn't an automatic gimme for the attacker.

[tptacek]

It's a pernicious myth that passwords on "free" websites don't matter, because no money is changing hands. Most people use the same password for random apps as they do for their email account.

I don't even want to get into the rat-trap of "what kinds" of attackers are stopped by reversably encrypted passwords. There's no kind of attacker that can reverse a properly hashed password, and so that's what you should use.

[colonelxc]

Why, oh why, do any websites need to be able to reverse an encrypted password to the plaintext? 99.99% of the time, simply resetting the password to something different is a much better way to go (in the case the user forgets).

I'm sure there are exceptions to this rule, but we shouldn't encourage a design that has the potential to hurt users (if the database + password encryption key are compromised), when the solution (seeded hashing) takes just about the same amount of work (probably less).

[imsaar]

Incredibly educational comment. I stand corrected that it is not necessarily true that they would store it in clear text in the database but if someone is sending me password in clear text in email I would not give them a lot of benefit of doubt to do the right thing.

Besides, what is the utility of sending such an email. If certain software is open source and I can assure they are doing the right thing I will be much more comfortable.

[carbocation]

I store passwords as a hash in the database, but send it to the user in plaintext when they register. Why?

1. I didn't used to do this, but I got so many requests that I eventually caved. 2. No money changes hands on the site.

[imajes]

Without education, people won't learn. I'm a fan of thoughtful UX but, frankly.. this is an area where caving sucks. Sorry. I'd have spent the time improving my password recovery service.

[carbocation]

Hmm. Fair point. Maybe I'll reconsider sooner rather than later.