OT - Question about passwords

[Liz]

I always thought that passwords are not known to anyone but the person who set it up.

I forgot my password at a specific website and sent the usual "forgot password" email to them (automatic).

I got an email from their customer service (person's name included) informing me of my current password and how to change it.

Is this normal? I guess I'm being naive about some things.

Liz

[another view]

Usually I get an automatic reply with the password in a case like that but there are a couple of times I've received a note like you mention. I'm sure that the people who run whatever site do have access to that info (but not us moderators here anyway! ).

[Trevor Ash]

You should always assume that someone who works for the company somewhere has access to your password. You can reduce the amount of risk of problems by using completely different passwords for all of the important things you have that are password protected.

It sucks, I know. But there's not much that can be done and you just can't trust your data to other companies no matter how hard they try to keep it safe for you. Somone always ends up hacking into their servers and getting your credit info or whatever you have there.

I hope that laws are changed soon in a way that makes companies pay when data is stolen from them and they didn't take reasonable steps to keep it safe.

Now, for web-site forums and message boards it's even more important to NOT use a password that is the same password for something else because there's a much bigger chance of people having access to it.

[Liz]

for the information. Yep, I've been naive. Just changed all my passwords - they're not the same, but too close for comfort.

Liz

You should always assume that someone who works for the company somewhere has access to your password. You can reduce the amount of risk of problems by using completely different passwords for all of the important things you have that are password protected.

It sucks, I know. But there's not much that can be done and you just can't trust your data to other companies no matter how hard they try to keep it safe for you. Somone always ends up hacking into their servers and getting your credit info or whatever you have there.

I hope that laws are changed soon in a way that makes companies pay when data is stolen from them and they didn't take reasonable steps to keep it safe.

Now, for web-site forums and message boards it's even more important to NOT use a password that is the same password for something else because there's a much bigger chance of people having access to it.

[Liz]

Thanks ......... yes, it was a bit surprising when I saw my name in the greeting - and "your password is presently __________. You can change it by doing the following. I should have known that. O well......glad I asked.

So I just changed them all!

Liz

Usually I get an automatic reply with the password in a case like that but there are a couple of times I've received a note like you mention. I'm sure that the people who run whatever site do have access to that info (but not us moderators here anyway! ).

[Liz]

What about pin numbers - and passwords at banks and credit card companies? When you go online at the bank, you put in a password - but the first time, you have to enter your pin so it will recognize who you are.

So, how is this different than other passwords. Does the "secure website" have more confidentiality?

Thanks. Sorry if these are stupid questions, but I didn't even think about it until I got that email with the password in it.

Liz

You should always assume that someone who works for the company somewhere has access to your password. You can reduce the amount of risk of problems by using completely different passwords for all of the important things you have that are password protected.

It sucks, I know. But there's not much that can be done and you just can't trust your data to other companies no matter how hard they try to keep it safe for you. Somone always ends up hacking into their servers and getting your credit info or whatever you have there.

I hope that laws are changed soon in a way that makes companies pay when data is stolen from them and they didn't take reasonable steps to keep it safe.

Now, for web-site forums and message boards it's even more important to NOT use a password that is the same password for something else because there's a much bigger chance of people having access to it.

[berrywise]

It is surprising how much harder it is for someone to figure out your password just by adding a number into it somewhere. I should get around to updating some mine since it has been a while.

[jar_e]

What about pin numbers - and passwords at banks and credit card companies? When you go online at the bank, you put in a password - but the first time, you have to enter your pin so it will recognize who you are.

So, how is this different than other passwords. Does the "secure website" have more confidentiality?

Thanks. Sorry if these are stupid questions, but I didn't even think about it until I got that email with the password in it.

Liz

With most banking sites, all their information is encrypted (lots of security and nearly impossible to hack), and usually those things are pretttttty safe for doing business on. If they weren't too safe, I think you'd be hearing alot more about it.

Jared

[SmartWombat]

Normally these would be automated emails, and the password not visible in the customer services system. At least it would be if it was set up sensibly
The systems I design work by storing the password encrypted, and sending the email direct from the program so that it doesn't appear in the outbox of the customers services agent.
You can't read the passwords and user IDs by breaking in and reading the tables, even our IT staff can'tdo that without the digital cerfiticate.
But anything in email should be considered suspect, if you're sufficiently paranoid then you only use encrypted emails to the client, and they are the only people who can read them> We dont' have any cusotmer who are that concerned yet.

Definitely not reusing password on sensitive accounts (like your online bank) that you also use on other services is a very good idea.
Forum passwords I generally use the same, simple password so I can remember it. Banks, tax submission, professional mamberships, all have passwords so sryptic I have to write them down.

Of course that breks rule 1 - don't write down passwords

[Michael Fanelli]

I always thought that passwords are not known to anyone but the person who set it up.

I forgot my password at a specific website and sent the usual "forgot password" email to them (automatic).

I got an email from their customer service (person's name included) informing me of my current password and how to change it.

Is this normal? I guess I'm being naive about some things.

This should not be happening but often does anyway. A secure site is set up so even the system admins can't get your password. If you forget your password, they reset your password to a dummy password that you then change. There is no reason in the world why they need to keep your password accessible. If they can get it, so can any hacker. Beware.

[Photo-John]

There are all kinds of registration systems with all sorts of levels of security. For most systems it probably doesn't matter if administrators have access to your password. We have a very secure system. I don't have access to passwords for this site. But they are stored in a database that our developers can access. So I could dig them up if I wanted to.If you e-mail me for password info, all I'll do is reset it for you. I won't ever actually see your password. Nor is there any reason I would ever need to. If the site you're dealing with is really small, it's possible that one person is running everything and has easy access to all data. That might explain your experience.

It's best to use different passwords for sensitive information than for less important Web sites and services. Of course, it's soooo hard to keep track of them all. If you're like me, you're registered for 50+ Web sites and online services.

[natefromri]

I run a web site with over 4500 members (http://www.airforcesecuritypolice.com). However, I do not have access to passwords. I sometimes wish that I did, since I have a lot of members that get deployed and when they come back, they have forgotten them and email me for them. I simply set up a dummy password for them to get them back on track.

I guess that it would depend on the type of web site as far as if the administrator knows the password you chose.

--Nate

[Peter_AUS]

Liz,

Possibly the password scripting has been setup to include someones name so it is more personal than just from a Bot reply.

A bit like putting the signature automatically after a post is posted, saving typing.

[Liz]

I learned quite a bit from all of your experiences - and advice. I understand how this happened now. I'm also a bit careless about using the same passwords - which I've changed now, except for a few which I don't care about.

Liz