|
|
|
|
|
| E-mailing of passwords
Posted: 8/22/2009 12:40:51 PM | Heh an issue that never goes away.
I'm a bit surprised (but only a bit *sigh*) that nobody has pointed out the obvious... Emailing passwords is not only bad practice but in Canada it's of questionable legality at best. The privacy law here (PIPEDA) requires that site operators protect all personal information, which by definition is:
``personal information'' means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
When you e-mail a password you are identifying the individual holding the account, so obviously that person is identifiable :) and therefore passwords are personal information that must be protected. The big fish can insert all the clauses he wants in the TOS saying he doesn't guarantee privacy, but if anyone lodged a complaint about it I doubt very much that excuse would hold up as a justification for mailing plaintext passwords. This is an old issue with several proven solutions and if it's not already considered an obvious basic precaution not to mail plaintext passwords, I'm sure it will be in the near future.
So, adding a little checkbox to make people opt-in to reminder mailings would be a really good idea because it would both calm the endless hordes of users who are justifiably annoyed, and also cover POF's legal backside. | |
|
| E-mailing of passwords
Posted: 10/1/2009 6:20:40 PM | I too have requested passwords be removed from weekly emails (with no response). As well as an ability to unsubscribe from emails (also no response).
First off, plain and simple, it's a security risk. You can argue the "importance" of what you have on this site all you want...it is still a security risk. For anybody who is technology savvy, you know that there a many ways in which sending plain-text passwords regularly through email is not secure or wise. I wouldn't be surprised if they're even stored in plain-text in the database (even more irresponsible). Vulnerable to site hacks, site exploits, packet sniffing, and plenty of other methods. As already stated by others, there is a reason no other reputable site does this.
These weekly emails that contain your password and no unsubscribe option are not only bad, but they running along the lines of being illegal according to both US and Canadian law (as would have to be determined in a court obviously).
In the US, you'd look under the CAN-SPAM act. In Canada, you'd look under the Personal Information Protection and Electronic Documents Act (PIPEDA) and Electronic Commerce Protection Act (ECPA) (Bill C-27).
Since I believe plentyoffish is located in Canada, I'll briefly put out a few quotes from the Strategis website, which is the Government's business and consumer site. It has details about PIPEDA, as well a full links to it. Reading through it helps to show what they are not abiding by here at plentyoffish.
"organizations must protect personal information with security safeguards appropriate to the sensitivity of the information"
PIPEDA defines personal information as 'information about an identifiable individual' that includes any personal information [...] For example, the following would be considered personal information: Name, address, telephone number, gender [...] racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation.
While most of this information is given by the user and generally for the purpose of public display, it is still personal information and needs security. Not necessarily to prevent other people from seeing it, but from being tampered with. Reputation is not irrelevant (think about defamation lawsuits).
ALSO:
On April 24, 2009, the Government of Canada introduced anti-spam legislation, entitled the Electronic Commerce Protection Act (ECPA)
In this legisation, under Bill C-27, in the REQUIREMENTS AND PROHIBITIONS section:
6. (1) No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless
[...]
(2) The message must be in a form that conforms to the prescribed requirements and must [...]
(c) set out an unsubscribe mechanism in accordance with subsection 11(1).
For full details and reading of ECPA visit: http://www2.parl.gc.ca/HousePublications/Publication.aspx?DocId=3832885&Language=e&Mode=1&File=29#1
I'm certainly no lawyer and I don't claim to know the laws perfectly. As such, I can't guarantee any of the quotes or laws I have referenced apply to plentyoffish. However, it is in my personal opinion and interpretation of those laws that there is good reason to believe they do apply. I believe plentyoffish should care (and much more than they have shown thus far) to hold up to company ethics, customer satisfaction, and to operate within the bounds of the law. Their complete lack of interest in these concerns only show that they should be scrutinized heavily for them.
I would even suggest that anybody who has enough concern over these issues AND has failed to have their concerns looked and addressed by POF contact their nearest Better Business Bureau (BBB). The BBB was setup to help in these situations. They're located in both the US and Canada. http://www.bbb.org/canada/ or http://www.bbb.org | |
|
| E-mailing of passwords
Posted: 10/1/2009 6:30:25 PM | | Woops, I just realized some of you already brought up the legality part with PIPEDA. Sorry, I stopped reading after the 2nd or 3rd page...I don't generally do that, but I was just so surprised nobody mentioned that stuff earlier and figured I'd throw it up there. | |
|
| E-mailing of passwords
Posted: 10/1/2009 6:32:03 PM | I understand your concerns about protecting your personal information.
POF actually has almost NO personal information about you. No name, address, phone or anything else. Your profile is public information. Anyone can read it without even being a member.
They only have your password thats private really here.
I setup a email filter and all those emails with my password twice a week go straight into my trash folder. I never see them.
Worry more about safe guarding your computer and email account. If someone else has access to your computer and email account then I would guess that your password here would be very low priority as far as what they want to steal from you unless it's a wife or ex that has that info.
Cowboy
 | |
|
| E-mailing of passwords
Posted: 10/1/2009 6:43:02 PM |
They only have your password thats private really here.
I setup a email filter and all those emails with my password twice a week go straight into my trash folder. I never see them.
The problems are:
1. Email (SMTP) is sent unencrypted and can be viewed by strangers as it passes through servers.
2. People (unwisely, but pragmatically) use the same password at multiple web sites. The way PoF sends the password through SMTP, it may make other accounts vulnerable.
There should be a "forgot password" function that would send a URL to the email address on record, which the user could click (proving possession of the email) to change their password. (It should do a few other things on top of that for security.).
Mark | |
|
| E-mailing of passwords
Posted: 10/1/2009 7:00:15 PM | I agree, passwords should not be included in the weekly e-mails since the e-mails are unencrypted.
Otherwise there should be a way to subscribe from those e-mails. | |
|
| E-mailing of passwords
Posted: 10/1/2009 7:13:08 PM |
I agree, passwords should not be included in the weekly e-mails since the e-mails are unencrypted.
That's probably the worst part. It's sent on a scheduled basis instead of on request. It would be a lot better if it was sent only when requested (forgot password).
But, as mentioned in the prior post, it would be better to email a URL to a web page to change the password (not email the password itself). That may seem like a subtle distinction, but some people reuse passwords at different sites. Sending only a link to change the password will protect the actual (potentially widely-used) value.
But, going further, it's a bad practice to store actual password values. Web sites should only store the MD5 checksum of the password value. Then the password can *never* be compromised by that site. It isn't kept. When users login, calculate the MD5 checksum on the provided password. Compare that checksum to the MD5 checksum stored for that user when they registered (or changed their password).
There's no reason to ever keep the actual password value. And, not having it prevents bad practices like emailing it. Not having it forces practices like emailing a URL (with a unique parameter to identify that URL to the expected recipient).
Oh well. It's a free service. I put up with a lot for free. (smile)
Mark | |
|
| E-mailing of passwords
Posted: 10/1/2009 7:22:08 PM |
First off, plain and simple, it's a security risk. You can argue the "importance" of what you have on this site all you want...it is still a security risk. For anybody who is technology savvy, you know that there a many ways in which sending plain-text passwords regularly through email is not secure or wise. I wouldn't be surprised if they're even stored in plain-text in the database (even more irresponsible). Vulnerable to site hacks, site exploits, packet sniffing, and plenty of other methods. As already stated by others, there is a reason no other reputable site does this.
Note to self, delete plans to take over world from my POF emails.
I would even suggest that anybody who has enough concern over these issues AND has failed to have their concerns looked and addressed by POF contact their nearest Better Business Bureau (BBB). The BBB was setup to help in these situations. They're located in both the US and Canada. http://www.bbb.org/canada/ or http://www.bbb.org
So someone gives you something for free and that is not good enough for you, you must complain and go all lawyer about what you do not like about it something that you have chosen to participate in and instead of just going away you choose to stay and ****.
You must be a hoot at parties. | |
|
| E-mailing of passwords
Posted: 10/1/2009 8:12:23 PM |
Note to self, delete plans to take over world from my POF emails.
Sarcastic are we? You joke, but you clearly you fail to to see the potential security risk posed by this site. This site has how many users? Millions? Okay, good. So that means they are probably storing millions of users email address and passwords in plaintext or light encryption.
Pose the situation where their site is compromised and a hacker gains access to their database. Sounds like a pretty rough situation...perhaps unlikely...maybe, maybe not. The clear lack of security thought already seen via this password situation brought here gives good reason to believe they lack care in security. Also, don't think security is limited to storing passwords or sending them in emails. It goes into the backbone of the site, how it is coded, whether or not they regularly patch code vulnerabilities, etc.
Companies with dedicated security teams fall victim to hackers so to think POF, a site supposedly run by 1 or 2 guys, could be compromised really isn't that hard. So then what? Somebody out there has over a million POF emails and passwords. How many people do you think use the same email on POF as their email? I'm going to bet a decent percentage...but even if it were less than 1%, that's over 100,000 people. How many of those people do you think have banking information in their email? Amazon login info? Ebay info? Etc Etc etc. All of these places store your credit card info.
It wouldn't take long for all of these people to be taken advantage of and put into financial devastation. Just because you and myself may be smart enough to use different passwords everywhere, doesn't mean everyone is.
This is a serious issue and the fact that you think it's a laughing matter shows your ignorance.
So someone gives you something for free and that is not good enough for you, you must complain and go all lawyer about what you do not like about it something that you have chosen to participate in and instead of just going away you choose to stay and ****.
You must be a hoot at parties.
I can tell you're a funny guy. Good for you.
First off, free is a relative term. I'm one of the many people who view the ads they show me (and willingly, I don't mind). POF is raking in money, so don't think they give for the sake of giving. They don't. It's a registered business (for-profit).
Secondly, I don't complain for the sake of complaining. I inform to help make this site better and to help keep others on this site safe. Certainly there is one other reason and that is for a more self centered reason...which is that as a person in the web development industry, it upsets me that other developers could ignore the security of their site and open their own users to very real threats. It's one thing if you try your best to patch all the holes and protect your users in every way you know how, but fail.....but when somebody shows you an open threat and you chose to ignore it!?!? That's not acceptable to me.
Could I leave this site? Sure. Does that make everything better? No. People will still be at risk. I'm sorry if I'm not ignorant enough to just go on past this site and be content with knowing I'm personally safe, while others are not.
Really, I'm sorry I can't be that way.
Oh my, look, my last comment was sarcastic...I can do it too. | |
|
| E-mailing of passwords
Posted: 10/2/2009 7:03:48 AM |
Companies with dedicated security teams fall victim to hackers so to think POF, a site supposedly run by 1 or 2 guys, could be compromised really isn't that hard. So then what? Somebody out there has over a million POF emails and passwords. How many people do you think use the same email on POF as their email? I'm going to bet a decent percentage...but even if it were less than 1%, that's over 100,000 people. How many of those people do you think have banking information in their email? Amazon login info? Ebay info? Etc Etc etc. All of these places store your credit card info.
So you are basically saying that the only people at risk are those that have not practised due diligence and common sense when it comes to selecting a user name and password.
It wouldn't take long for all of these people to be taken advantage of and put into financial devastation. Just because you and myself may be smart enough to use different passwords everywhere, doesn't mean everyone is.
I agree but I would say their irresponsible behaviour would not be limited to POF and thus you would just be prolonging the inevitable anyway.
This is a serious issue and the fact that you think it's a laughing matter shows your ignorance.
If it matters I am only laughing on the outside.
First off, free is a relative term. I'm one of the many people who view the ads they show me (and willingly, I don't mind). POF is raking in money, so don't think they give for the sake of giving. They don't. It's a registered business (for-profit).
No it is not relative, its free, plain and simple, free to join, free to use and no one is requiring anyone to be here, so it is all completely voluntary.
Secondly, I don't complain for the sake of complaining. I inform to help make this site better and to help keep others on this site safe. Certainly there is one other reason and that is for a more self centered reason...which is that as a person in the web development industry, it upsets me that other developers could ignore the security of their site and open their own users to very real threats. It's one thing if you try your best to patch all the holes and protect your users in every way you know how, but fail.....but when somebody shows you an open threat and you chose to ignore it!?!? That's not acceptable to me.
If people voluntarily put themselves at risk why should it be up to the service they choose to use to change for their sake.
The world is cruel place and people will take advantage of your if you are not smart enough to protect yourself so I say to those people get smart or get a helmet because it is going to be a bumpy ride.
Really, I'm sorry I can't be that way.
Oh my, look, my last comment was sarcastic...I can do it too.
FYI - The sarcasm kinda looses it punch when you have to point it out. | |
|
| E-mailing of passwords
Posted: 10/2/2009 10:03:03 AM |
Companies with dedicated security teams fall victim to hackers so to think POF, a site supposedly run by 1 or 2 guys, could be compromised really isn't that hard. So then what?
maybe you missed it a few weeks back? when admin discontinued imeem because imeem got hacked, and the hackers tried to breach pof? and he sent an email to those whose profiles were compromised and anyone who had viewed those profiles, telling them to change their passwords. even if he's only one guy, seems to me he caught that pretty damn quick! and took measures to safeguard his users.
How many people do you think use the same email on POF as their email? I'm going to bet a decent percentage...but even if it were less than 1%, that's over 100,000 people.
i think you're wondering how many use the same password on their email and on pof. in truth, it's probably more than 1%.
How many of those people do you think have banking information in their email? Amazon login info? Ebay info? Etc Etc etc. All of these places store your credit card info.
i'd hope that number would be smaller, but it's probably not. if someone signed up for pof using their real email, as opposed to a throwaway address (hotmail, gmail, yahoo), and further used that mail for banking, and everything else they do on the web, with the same password, well, it's likely only matter of time before they get burned.
It wouldn't take long for all of these people to be taken advantage of and put into financial devastation. Just because you and myself may be smart enough to use different passwords everywhere, doesn't mean everyone is.
there's this little thing called personal responsibility.
I inform to help make this site better and to help keep others on this site safe.
thank you, Sir Galahad!
sadly, you're about 3 1/2 years too late on this one. note 4 pages to this thread, plus multiple other threads, averaging 1 every 2 weeks x 3 1/2 years, pointing this issue out. note also, the lack of any change. draw the logical inference - it isn't going to change.
Certainly there is one other reason and that is for a more self centered reason...which is that as a person in the web development industry, it upsets me that other developers could ignore the security of their site and open their own users to very real threats. It's one thing if you try your best to patch all the holes and protect your users in every way you know how, but fail.....but when somebody shows you an open threat and you chose to ignore it!?!? That's not acceptable to me.
you've given it a shot, now let it go.
get used to it: you can't fix things that are out of your control.
cheers!
 | |
|
| E-mailing of passwords
Posted: 10/2/2009 3:10:05 PM | You can say it is people's responsibility to protect themselves all you want and I certainly agree with it. However, that doesn't change the fact that developers and site owners are responsible for keeping their site secure and their users safe. There are reasons they have laws for this. You can blame the individual all you want and you can believe that they deserve it....that doesn't change things because there is still responsibility on both ends.
Also, since none of you seem to respond about there being no unsubscribe options within these weekly emails....I'd like to hear your thoughts on that one. Do you think it is okay for POF to be breaking the law? | |
|
| E-mailing of passwords
Posted: 10/2/2009 3:41:12 PM | You can say it is people's responsibility to protect themselves all you want and I certainly agree with it. However, that doesn't change the fact that developers and site owners are responsible for keeping their site secure and their users safe. There are reasons they have laws for this. You can blame the individual all you want and you can believe that they deserve it....that doesn't change things because there is still responsibility on both ends.
So far I would say the owner has done a great job of keeping this site safe and secure as I have not had any problems, but can only speak for myself.
It is a free market, if he (one guy named markus) does not want to do it then why should he have to.
This is something you are not obligated to do, so the responsibility is completely with the user.
Also, since none of you seem to respond about there being no unsubscribe options within these weekly emails....I'd like to hear your thoughts on that one. Do you think it is okay for POF to be breaking the law?
When you signed up you agreed to getting a weekly email so no laws broken.
If you no longer would like to receive that email then all you have to do is delete your account and problem is solved.
This is like someone inviting you to a party and you get there and do not like the music and despite the fact you are free to go and no obligation or reason to be there other than your own personal choice you not only complain about the music you want to call the cops, ergo making you "that guy" at parties. | |
|
| E-mailing of passwords
Posted: 10/2/2009 4:36:55 PM |
When you signed up you agreed to getting a weekly email so no laws broken.
If you no longer would like to receive that email then all you have to do is delete your account and problem is solved.
This is like someone inviting you to a party and you get there and do not like the music and despite the fact you are free to go and no obligation or reason to be there other than your own personal choice you not only complain about the music you want to call the cops, ergo making you "that guy" at parties.
Maybe you should try reading the law before saying no laws were broken. The law states a good number of requirements in sending out commercial emails. One obviously being consent, but that is not the part I believe POF is breaking. One of the other requirements says that if you send out regular commercial emails you MUST provide an Unsubscribe option WITHIN the email. POF does not do this. This does not regard consent...it is its own requirement.
It's called the Electronic Commerce Protection Act (ECPA) Bill C-27. The actual bill is located online right here for easy viewing: http://www2.parl.gc.ca/HousePublications/Publication.aspx?DocId=3832885&Language=e&Mode=1&File=29#1
Try reading.
If that's too much for you, than don't say it's not against the law. That is one bill that is actually quite easy to follow as a normal citizen. It even provides definitions of the words it uses within it. It doesn't get any simpler than that. | |
|
| E-mailing of passwords
Posted: 10/2/2009 6:53:14 PM |
It is a free market, if he (one guy named markus) does not want to do it then why should he have to.
I agree with both of you. It's a free service and I wouldn't expect the level of professionalism that comes from a service with 200 employees (and the checks and balances that comes from such an environment).
But, it really is an incredibly bad practice to email passwords in clear text. Even worse to do it on a regular and unsolicited basis.
The best practice is to not even keep the user's password. Just calculate an MD5 checksum from the value, and keep that. (If the servers are hacked, hackers would only get the checksum, which can't be used for much.). Then, when users login, just calculate the checksum on the password they supply, and compare it to the checksum which is kept on the server (instead of the actual password value).
Mark | |
|
| E-mailing of passwords
Posted: 10/2/2009 8:04:19 PM | house of commons of canada
BILL C-27
REQUIREMENTS AND PROHIBITIONS
OBLIGATIONS ET INTERDICTIONS
Unsolicited electronic messages
6. (1) No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied;...
...(c) set out an unsubscribe mechanism in accordance with subsection 11(1).
Which for you to unsubscribe you just have to close your account.
Does not get much simpler than that does it?
But, it really is an incredibly bad practice to email passwords in clear text. Even worse to do it on a regular and unsolicited basis.
Maybe it is for you but what makes you think it is bad practise for the site Owner. I would say if it was detrimental to him do you not think he would change it.
So maybe to him no biggy.
Or maybe there is a reason,
Maybe it does not appeal to people who would require a more secure site due to the fact that anyone snooping their mail could easily get in.
Maybe when some married people trying to hide keep getting these emails the will leave for the risk of being caught.
I know that is pretty far out there but the answer is, only one person knows and we are not one of them.
The best practice is to not even keep the user's password. Just calculate an MD5 checksum from the value, and keep that. (If the servers are hacked, hackers would only get the checksum, which can't be used for much.). Then, when users login, just calculate the checksum on the password they supply, and compare it to the checksum which is kept on the server (instead of the actual password value).
Reminds me of this urban legend / story (condensed version)
US spent a ton of money developing a pen to work in space.
USSR used a pencil.
| |
|
| E-mailing of passwords
Posted: 10/2/2009 8:09:53 PM | That seems to miss the point. That regulation is about emails, not divulging personal identification.
The problem is that someone joins PoF, accepts that they'll receive administrative emails, and then begins to receive their password sent in cleartext. That's not normal.
EDIT: But, you're right that, for a free service, the simplest (and most reasonable) recourse is to delete the account.
| |
|
| E-mailing of passwords
Posted: 10/2/2009 8:29:11 PM |
Maybe you should try reading the law before saying no laws were broken. The law states a good number of requirements in sending out commercial emails. One obviously being consent, but that is not the part I believe POF is breaking. One of the other requirements says that if you send out regular commercial emails you MUST provide an Unsubscribe option WITHIN the email. POF does not do this. This does not regard consent...it is its own requirement.
maybe it's you that needs to go back and read the law. or, maybe you need to get a law degree. whatever...
per the definitions of that law,
“commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
i submit, that a free online dating website does not meet the requirements for "commercial activity". hence, pof is exempt from this law.
try another argument. this one has just met a brick wall. thus, it is unnecessary to even address the "consent" or "implied consent" issues. even if this law was germane, it would be obviated by the implied consent provisions (remember, those pesky TOS provisions that all members agree to, when they sign up). | |
|
| E-mailing of passwords
Posted: 10/2/2009 8:41:13 PM | even if this law was germane, it would be obviated by the implied consent provisions (remember, those pesky TOS provisions that all members agree to, when they sign up).
Terms of Service (TOS) are generally held to enhance a user's rights, not limit them. For example, a TOS which says "you agree to turn over your firstborn child," wouldn't be enforceable. A more realistic example is a TOS saying "you agree not to hold this site responsible for revealing your password." That wouldn't be a valid contract.
In any contract, there is always an expectation of reasonableness. I don't know exactly where that line is drawn. But, (like defining obscenity), it's easy to identify what crosses the line.
But, I agree with you that it's a free service and the most reasonable solution is to not use it if you feel you're not getting your money's worth. (wink). I just wouldn't rely on EULAs (TOS) to say a free service can get away with anything.
Mark | |
|
| E-mailing of passwords
Posted: 10/2/2009 9:15:54 PM |
i submit, that a free online dating website does not meet the requirements for "commercial activity".
Well, it'd be interesting to see if the "Serious Member' thing fell within the same definition.
I wonder if AdSence income falls outside the commercial activity model too. Maybe the 'commercial activity' model is a bit outdated given that plenty of businesses benefit commercially from same.
(remember, those pesky TOS provisions that all members agree to, when they sign up)
Hehe, yeah . . dunno about Canadian law (or any other law for that matter) but in Oz there are provisions that don't permit a business to have you sign away basic rights . . TOS or no TOS.
Is there nothing like this in Canada? | |
|
| E-mailing of passwords
Posted: 10/2/2009 10:08:47 PM |
Well, it'd be interesting to see if the "Serious Member' thing fell within the same definition.
it probably doesn't, as a "transaction" would have occurred. however, collin does not have standing to make such an argument, as he is not a "serious member".
even so, in the expectation that someone out there is...said claims would be obviated by the provisions regarding consent and/or implied consent...since all agree to the tos when they sign up to pof.
again, it comes down to accepting personal responsibility. you sign up for a service, you agree to it's terms and conditions, and can't come back later and complain about something you agreed to. | |
|
| E-mailing of passwords
Posted: 10/2/2009 10:22:30 PM |
even so, in the expectation that someone out there is...said claims would be obviated by the provisions regarding consent and/or implied consent...since all agree to the tos when they sign up to pof.
Terms of Service (TOS) don't eliminate reasonable expectations of the service provider. The questions are
1) Whether protecting a user's password is such an expectation.
2) Whether the fact that the service is free eliminates any expectations.
I believe the answer is Yes to #1. Not sure about #2. | |
|
| E-mailing of passwords
Posted: 10/2/2009 11:26:54 PM |
it probably doesn't, as a "transaction" would have occurred. . . which was the point.
however, collin does not have standing to make such an argument, as he is not a "serious member". . . which is beside the point.
again, it comes down to accepting personal responsibility.
Certainly . . and I don't think anyone is suggesting anything different.
No one, as far as I can see, is suggesting that POF should take responsibility for the users security . . at the user end.
The question really being asked is:
Is it OK for POF to undermine that end user security by sending e-mails with their password in plain text?
And just to anticipate the . . ummm . . 'answers' provided thus far.
No, I'm not a Serious Member.
Yes, I'm married.
Yes, I agreed to the TOS.
I'm discussing, not complaining.
Yes, account deletion would 'fix' the problem.
I do realise it's a free site.
. . and there's probably a few more I missed.
I reckon these 'answers', while probably valid in various ways, are largely obfuscation.
get used to it: you can't fix things that are out of your control.
Yep.  | |
|
| |
| E-mailing of passwords
Posted: 10/3/2009 12:48:35 PM |
The question really being asked is:
Is it OK for POF to undermine that end user security by sending e-mails with their password in plain text?
I was thinking about this angle a little more. Is PoF undermining your security, or PoF's security when it treats passwords so carelessly?
If PoF needlessly emailed your home address, credit card number, etc., I could agree the site undermines *your* security. But, the password is important for the site's integrity. I think the careless treatment of passwords tends to hurt the site more than the person who created the password on the site.
However, I agree that most people reuse the same password at many sites just because remembering many passwords isn't feasible. In that sense, PoF contributes to the user's undermining of their own security.
And, just to be clear, I agree with others who say it's a free site and there's not a lot to complain about relative to the price we pay.
Mark | |
|
|
| Page 4 of 5
|
1, 2, 3, 4, 5 |
|
Home
login 
