Poor Practice: E-Mailing Passwords

A couple of weeks ago, I sent out the following Tweet:

Tweet about Emailing Passwords

This prompted a short conversation with Marc Hoffman about how it can seek to balance between security and convenience, the convenience factor being that if a user has their password in their e-mail, it can limit the necessity of password reset requests, and that sort of thing.

In my opinion, there is no reasonable argument for convenience. Most users utilize a very small number of passwords anyway. Those who don’t, usually take advantage of a password-safe application, in order to keep things straight. Which is fine. I don’t consider it the real answer to the password problem (that would be OAuth), but it allows you to securely store passwords (though if this is better security than in index card in your wallet is debatable), and manage the complexity.

E-mailing a copy of the user’s password, when you’ve already required them to enter their password into your site twice, does not help either of these use cases. Safe-users will have already saved their database. Password-repeaters already know their password.

Plus, it always gives me a nagging feeling that my password is going into their database the same way it came out of that e-mail. Plain text. That may not be true (and I always pray it is), but if they’re already expressing (what I consider) a lackadaisical attitude about using my password, it doesn’t give me a whole lot of hope.

Marc feels it’s an act of balancing between convenience and security, and certainly, all security advice is a trade-off. However, I don’t see any benefit to this. The odds of a user typing in their password wrong twice and needing to be reminded of it in an immediate e-mail. The odds of a user using an unfamiliar password, and not storing it somewhere secure. The odds of these things seem very high against, and they seem to send a strong message that the password isn’t something of any value. For many sites, it isn’t, but given the tendency of users to reuse passwords…

If anyone can provide me a strong use case for e-mailing a user the password they just entered into your site to create an account, I’d love to hear it.