Cleartext Passwords

I hope that this is a good forum for this question.

Every few days I sign up for some internet thing that asks me for a username and password and other information.  I dutifully enter my information and note that the password is *'ed out; great a "secure" site.

A few minutes later, I get an email welcoming me to this great site and in the email is my password for all to see in cleartext.

This drives me nuts and I feel like I'm on a one-developer campaign to get other web developers to stop this common practice / mistake.

Does anyone know of a good article or white paper that I can reference on why this is a bad practice?  I've searched MSDN, TechNet, Yahoo, Google, etc. and can't find something authoritative on the subject to forward to webmaster@ or support@

To name a few biggies I've found:  Hertz, Evite, Keyhole, ...

Thanks

I hope you're joking.

The point is that it shouldn't be sent!  Sending the password in e-mail (which is completely insecure) should only be done in the case of a user losing his password, and in that case a secure site should require the user to change their password on their next login.

I can see passwords becoming obsolete.  Consider this:

Go to a site and register, with your email address.  It sends you an "activate" link via email.

You click on the link, which activates your account, logs you in, and drops an authentication cookie on your computer.

If you visit the site without an authentication cookie, it sends you another "log in" link via email.

No passwords necessary.

It depends on how each company wants to handle it.  Some use cleartext passwords, others use password resetting.

I would say, however, if somebody is looking at your email that you have a MUCH bigger security problem (I know, different thread

What If the Passwords Random?

At least you have a copy incase you lose the other one

Maurits, I like your solution / suggestion and will consider it for future website designs.


However, I'm still looking for an authoritative security article or white paper on this practice.

I host my personal web site via Hostway, a fairly large and well known hosting company.  A support person recently asked me to email my main site control password back to him.

I've freaked.  After a series of emails and the involvement of eTrust, I've had a reply from their legal department that Hostway considers this to be common industry practice and that it makes me more secure because they are using my password to authenticate me as a user.

If a hosting company or ISP thinks nothing of sending passwords clear text and requesting them over the phone and via email, how are we (as developers) ever going to convince our users to be careful with personal information, including passwords.