cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Showing a password in email body

I just signed up to a portal.  This portal is capable of placing contract orders, making credit card purchases, and (naturally) browsing for merchandise.  I had to submit billing and shipping information -- which included my personal email address and home address.  But that was the extent of private data submitted.

 

After the signup process was complete, I browsed the store, stuck something in my cart, then left without paying.  I went back to my email and observed that the portal manager sent a welcome message which included my name and password.

 

Any of us could chime in about mail protection schemas, but many focus most closely on sender authentication.  And I'm from a school that says hosts exchange via SMTP on port 25, and the use of encryption is not always guaranteed.  Is it possible to review header detail and infer the technologies (if any!!) which were used for message protection?

More to the point, is there a way to confirm if the sender passed the email unencrypted, and thus my password in plaintext?

-----------
A claim is as good as its veracity.
6 Replies
dcontesti
Community Champion

Eric,

 

Based on my limited knowledge of mail headers, I would hazard a guess that the email was not encrypted but an interesting exercise would be to analyze the header information.  Most systems that I have seen typically require you to access a specific site, and create a password, etc.to be able to access the information they are sending.

 

But based on your note, I do not think that I would be dealing with these folks and would immediately remove any confidential information that might be on their site.

 

my nickel

 

d

 

 

 

AlecTrevelyan
Community Champion


@ericgeater wrote:

I just signed up to a portal.  This portal is capable of placing contract orders, making credit card purchases, and (naturally) browsing for merchandise.  I had to submit billing and shipping information -- which included my personal email address and home address.  But that was the extent of private data submitted.

 

After the signup process was complete, I browsed the store, stuck something in my cart, then left without paying.  I went back to my email and observed that the portal manager sent a welcome message which included my name and password.

 

Any of us could chime in about mail protection schemas, but many focus most closely on sender authentication.  And I'm from a school that says hosts exchange via SMTP on port 25, and the use of encryption is not always guaranteed.  Is it possible to review header detail and infer the technologies (if any!!) which were used for message protection?

More to the point, is there a way to confirm if the sender passed the email unencrypted, and thus my password in plaintext?


Sure, you can look at the headers either by reading them manually or through using one of the many SMTP header analysing tools/sites out there.

 

It will be easy to see the portions of the email's journey that were definitely encrypted as you'll see the TLS versions and ciphers being used.

 

However, it may be difficult to prove any portions of the journey were definitely not secured as even though they may not show up as being carried over TLS, they could have been carried over another private network.

 

ericgeater
Community Champion

So if I don't see any TLS header lines (or signs of any other encryption tactics), can I infer there was zero encryption in message composition and sending? I'll agree that we have no visibility at the carrier level... but to be fair, I also don't think that a backbone is interested in encrypting every bit of internet traffic, either.

My end goal is to assert that this portal has no business sending credentials-- especially without adequate protection.
-----------
A claim is as good as its veracity.
AlecTrevelyan
Community Champion

To give an example, when I look at the headers of an email I received this morning, I can see it was sent from the sender's SMTP server, which has an RFC 1918 private IP address so likely was accessed over a LAN, to an SMTP server of a well known email delivery service on the Internet. This portion of the journey looks to me like it could have been sent unencrypted, but equally it could have been sent over an IPsec VPN, there's no way for me to say definitively that it wasn't encrypted for that portion of the journey. All subsequent portions of the journey were sent using TLS which I can definitely say were encrypted.

 

It's certainly bad practice to send passwords in emails, and it's especially worrying if it's a password you set yourself rather than a system generated password that will prompt you for it to be changed after you first login - that could suggest the actual password is being stored and not just a salted hash of the password.

 

What happens if you go through the "I forgot my password" process? If they send the same password in plain text again you know there are major issues!

 

JKWiniger
Community Champion

To me, it seems there are a few different things to look at. Most mail connections now a days use HTTPS, so in route traffic would be encrypted just like going to any site that uses HTTPS. As for the content on the email I would almost guarantee that is was never encrypted. I say this from the simple stand point that if it had been encrypted on the sender's side who would have decrypted? Someone in the middle, very unlikely that they would take on the overhead, and you did not need to decrypt it so I think there is a very good chance it was sent as plain text. 

 

As mentioned, I have seen system send 1 time use passwords in plain text but not the normal password. Most systems have changed over to sending a reset link instead of any kind of password. That way when you follow the link you would normally be over a HTTPS connection when you enter the new password providing a better level of security.

 

Just my .02

 

John-

chikme01
Newcomer I

I have seen these in old or legacy systems. The newer systems my be matured enough to avoid this.
I it was a One Time Password (OTP), it is acceptable. However, if it is a normal one, I would think twice being a member of that system and remove any confidential information.
mEGhS