Internet Security

This past week I had to have a horrible conversation with a support person about why sending my password in plain text over email was a bad idea. This conversation was a realization that we need to figure out how to educate people better on internet security and privacy.

I recently signed up for a website that I thought my kids would enjoy, it had a free 30 day trial, but required me to provide my credit card information on sign up. I thought the server was worth trying so I did so. After signing up I went about my business and about 20 minutes later noticed that I had an email in my inbox with my username and password for the site. I was not happy. I went back to the site went back through the steps of signing up to see who processed my credit card, thankfully it was a third party processor, so I did not have to fear that this company was storing my credit card info.

Once I stopped worrying about my credit card I emailed their support to let them know my disappointment over this security flaw and to make sure my password was not stored in plain text. The following is a part of the response that I received.

Thank you for your message and for voicing your concerns. We want to reassure you that our databases and site are all very secure and we’re following all security best practices and standards. Most emails are sent encrypted and the format that text is stored in the database or emailed is not a reflection on how secure that actual database is. So the fact that you received an email with your password in Plain Text is not a reflection of how we store or protect the passwords. We have all kinds of firewalls and proxies in place to protect our content as well as storing it in encrypted ways. Any information shared with Company Name is well protected as we definitely want to be as protective as possible with our users’ information. You are correct in saying that it is unwise to use the same password/email address for an online account and your bank account, so if this is the case with your password, we do recommend you change one of those passwords.

After a few rounds back and forth I was finally able to convey to the support person that most emails are not encrypted as he had claimed; and that email traffic can be read at any point along the way from the sender to the receiver. A day or so later I received an email notifying me that they stopped sending out passwords in emails.

That is not the point of this post though. I am concerned with the lack of technical knowledge that people possess about the internet. Everyone understands that when you leave your house you should lock the doors, but at the same time most people do not take security on the internet seriously at all. We are failing to educate users on the importance of proper security and now that it is so easy to create and develop websites these users are also creators that lack the knowledge to properly secure their properties on the web.

I don’t know how to fix this issue, but this is something that definitely needs to be addressed. I am not worried about the next group of Mark Zuckerbergs or Larry Pages; they will understand the importance of securing the web. There is however a whole generation of people that grew up on the internet that will know enough to make websites and content online but lack the understanding of how it all really works.