Sometimes I Just Shake My Head – Security Problem

At times I have discussed security on this blog and mentioned the challenges of being secure when using M2M. However, this post has nothing to do with Consona.

I read several blogs on a regular basis for programming and SQL information. In fact, I think I’ll list the blogs I recommend in a future post. One of the sites I frequent is Simple Talk, and I enjoy their SQL Server articles. Eventually, I decided to comment on an article. The site requires you to sign up to comment, so I did so.

This is the message I got from them thanking me for signing up.

—–Original Message—–
From: Simple-Talk – Automated Email []
Sent: Thursday, March 26, 2009 4:35 PM
To: David G. Stein
Subject: Simple-Talk membership details
Importance: High


You applied to join Simple-Talk, and may now login.

Username: DavidStein
Password: ForgetIt

To login, please visit:

After logging in you can change your password here:

Simple-Talk team

They included the user name and password directly in the e-mail. This is a bad practice for several reasons. The first of which is if someone gets access to my e-mail account they can now get into Simple Talk as me. They can spam the blogs and whatnot.

Now you may ask, “So what?” Well, the second reason is that most people use the same login for many if not all of the sites they visit. Don’t you do that? It’s human nature to do so.

So, if I used the same login for Simple Talk that I had for my online banking, Amazon, Ebay, Paypal, or other sites, the person who hacked my e-mail now has access to very sensitive areas of my life.

I’m sure we’ve all seen small sites which make mistakes like this, but this is a blogging site for programmers of all types, and one would think they would know better.

What sites have you noticed that also include this information in their e-mails?

3 comments to Sometimes I Just Shake My Head – Security Problem

  • I could not even begin to list the various sites I have seen that do the same thing.

    Typically I find them on social sites that have to do with blogs, forums, or some of ther form of site sharing ideas and information.

    I have various levels of passwords that I use. If the site has no information I would want confidential or does not have anything to do with anything important, then I use my generic username and password. Typically the passwords on these are simple character strings, primarily text with numeric and special characters only when required.

    For sites related to my income I use a different username and password. And sites related to expendatures, such as my bills, have yet another username and password. These always include alphanumeric and special characters.

    So I have varying degrees of UN/PW that I use depending on the purpose for which they are used. Basically I treat my own information like I would the users in one of my databases. My sites are my own database, and I have different levels of access required for different bits of information.

  • Actually, people don’t even need to hack your email. All they have to do is sniff mail traffic anywhere between your home computer and Simple-Talk’s mail server. It’s relatively easy to find points where mail traffic is sent across the wire unencrypted (especially for people who use POP mail clients) and presto, they overhear your password as it comes through via the email content.

  • Fred Crawford

    I was helping a friend setup their new home PC the other day, and I wanted them to log into “com.cast” (their internet service provider) and change their password. We were having trouble getting their emails, and I wanted to verify that they had the correct password, and second, I figured it might be a good time to have them change their password. I was connected to them remotely, so I could see their screen. When they were on the screen where they had to type their old and new password, I told them I wouldn’t look. They said no problem, it is asterisking out the letters as they type. So, I looked. As was good until them clicked the accept button, and then com.cast displayed a verification screen actually showing their old and new password (not asterisking them out). I couldn’t believe it.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>