Recently someone pointed out that an Ubuntu mailing list will e-mail a forgotten password back to you. And that this is wrong. Well, I agree, but…
I am never bothered when a mailing list sends me a plaintext password.
But I do something Extremely Radical: I don’t reuse passwords.
If a mailing list password of mine gets out it is only a mailing list password.
Reusing passwords is too scary. Somehow the idea of having just one (or a small number) of keys to my life and casually handing out copies to anyone who asks seems really stupid. How do I know what they are going to do with it?
Write down your passwords. Yup. Write them down. Keep a list, obscure things a little in the list, but keep a list. Put it in your wallet, keep an updated copy someplace else. If someone steals your wallet you will probably notice it and you will be able to go change passwords before the thief figures out your obscuring scheme.
But when you reuse a password and one of the various sites is broken into, first you won’t know it was broken into, second, even if you did get notified…how would you ever know what other sites you used that password on if you don’t keep a list?
Yes, it is better for mail reflectors to not send out plaintext passwords, but it wouldn’t matter much if you didn’t reuse passwords.
It should bother you that a site is mailing back your real password, but sites are constantly doing things far scarier than e-mailing a password the right person (such as letting actual criminals get a copy). You should be far more bothered by the password reuse that makes every breach have possibly unbounded consequences.
Even if a site does a password reset and e-mails a temporary password, that is also a risk. E-mailing the original password is only worse if it is used elsewhere.
Don’t reuse passwords.
-kb, the Kent who thinks expiring passwords are stupid, too.
©2011 Kent Borg