As you may have noticed from my About Me, I build software, and much of that software requires serious security. Whether it be health data or educational, data security is king. What I can’t understand is why companies that claim a good privacy policy send me my password in an email. Whether it’s temporary or not, it’s still bad. Even worse is when a company sends me my password long after I signed up. Right away, I know they don’t use a one-way hash to store their passwords. There’s no way you should be able to decrypt my password.
Security 101: No one other than me should know my password. Ever! If you must send a password, make it temporary and force me to change it. Always store it as a one-way hash seeded with a really long, random string.
It’s simple. If you send me my password in an email, I will not do business with you.
Have a nice day.
Leave a Reply