mySpace.com, Pandora.com, not worth trusting.

I’m quite surprised to see two very prominent sites that use very archaic and insecure password resetting schemes. If you loose your password and request to have it sent to your email, they don’t do what you’d expect from any trustworthy site. They simply send you your original password.

If you don’t understand the implications of this, let me lay it out for you. Emails are always sent in clear text and often bounce through multiple servers before reaching their destination. This means that any person on any of these servers along the entire route have a chance to steal your password. If not just that, it means that someone on the same network as those servers could record the packets being sent out and also steal your password. On top of that, mails that reach your computer are also stored in clear text which again means that anyone with access to your computer can see the password. And it also means that anyone standing behind you when you open the email is also going to see your password.

The proper solution is what’s done by most sites currently. They reset your password to some arbitrarily random sequence. It’s up to you to then log into the site and set it back to something you remember. Although someone could still possibly hijack your account, they’ll only have access to that one account and not every other one with the same password.

The moral of the story? Don’t trust www.pandora.com or www.myspace.com And, more importantly in reference to these two sites, don’t forget your password!