Sending a password to email after registration is not safe?

V

varnav2015-12-28 15:08:10

Passwords

varnav, 2015-12-28 15:08:10

Hello!
There are constantly sites that ask you to enter a password after registration, and then send it to your email.
Is there any article that explains what is wrong to do this and why?
And then attempts to write to the authors of sites usually stumble upon a wall of misunderstanding.
UPD: "They" have a project plaintextoffenders.com. Is there an analogue in Runet?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dimonchik, 2015-12-28
@dimonchik2013

article:
if the service is able to send you the password in the form in which you entered it, or in which it was generated, but sends it again or ... in short, in the usual form - this service stores passwords in its database in clear text . This means that in the event of a hack, including a common one such as SQL Injection, your password will be available to an attacker, regardless of its complexity.

O

Optimus, 2015-12-28
Pyan @marrk2

If this is a forum or some secondary system, then it doesn’t matter, let them send it, it’s even convenient (I won’t lose it), but if it’s some serious systems, then it’s probably undesirable, although I know hosters who send the generated password to the mail.
It all depends on the user, because the password letter can be deleted immediately... So I don't think it's unsafe...

T

tguglanaklona, 2015-12-30
@tguglanaklona

I agree with dimonchik2013 . In addition, if someone takes over access to your mail, then SQL-Injection will not be needed, just an archive of mail messages. And users are known to often use the same passwords on different services.