- Fri Jun 22, 2012 2:03 am
#3676
Again Katherine, you are just showing how little you know about the internet. OK, you are in PR and aren't supposed to know, but you really should run things by the people who do.
There are so many ways to spoof emails that no reputable company will EVER ask its users to email them their passwords. Seriously, how many emails a day do each of us get asking us to supply emails for credit cards, bank accounts, pay pal, amazon, Ebay, etc., etc., etc. How many of them actually come from those companies? Zero, right? How many of them send you routine emails saying they will never under any circumstance ask you to divulge password information? Don't you think that means something?
The "please send me your account and password" email has got to be the 2nd most popular scam, right after the Nigerian who wants to give me 41.7 million dollars.
This sends all your passwords in clear text. A copy of your of your password now sits in your outbox waiting for your email to be compromised. A copy now sits in the inbox of VW waiting for their email to be compromised. A copy was sent in clear text over the internet where there are 100 ways a nefarious person can intercept it. A copy was send over the wireless networks at both your end and mine. There are a dozen ways to write an email so it looks like it comes from VW but doesn't and a dozen ways to make it look like you are replying to VW but aren't. Sure you are not afraid of someone breaking into your VW account, but how many people foolishly use the same password and account name for VW and their bank account or credit card. I'll bet if you run a random 100 username/password combinations through the login pages to Citi Cards, Capitol One, Chase, and Bank of America, you will get at least one hit.
Most users are far to naive or inexperienced to recognize all the scams so you will find tens of thousands of websites advise pages telling users never to do what you have just asked them to do. No person should ever, under any circumstance email passwords like this. Passwords which are emailed (like temporary reset passwords) should be reset immediately and any professional website will force that.
Asking users to email their account names and password is a great big flashing red capitol letters sign reading "I DO NOT KNOW WHAT I AM DOING!" Go find yourself a professional programmer, preferably one with an emphasis in security, and he will not only give you a much better explanation of why this is a major no-no, along with examples from his own inbox, he will show you a dozen better and more secure ways to have accomplished the exact same thing.
Most probably he would suggest he would suggest you email each user an email with a passkey and a second email with a temporary password. The user enters the passkey and password into a webpage, which you can verify since you know to whom you mailed each. They can then validate a new (or old) account name and create a new password. All of this should be done using https, not http.
After that he will tell you that you should never under any circumstances store the passwords locally. In fact, if he is any good he will write your login and account system such that VW will never actually know the users password (easy to do by storing them as hashes, one-way encryptions, etc.). Any website programming book, even a basic one, will tell you never to store plaintext passwords.
Yes, complicated, but anyone who does not approach security seriously on the internet nowdays if foolish at best. This lackadaisical attitude toward basic, routine, well-accepted security practices makes me very, very concerned for the security of my account, my CC info, and my images I place on your server.
- By johnforbes