Emailing passwords is no proof of storing passwords as plain text

There is a site named which lists sites which they claim store plain text passwords, i.e. not hashed or encrypted. As proof they let users email screenshots to them.

Many of the screenshots looks like this:

Welcome XXX,

bla bla,

Username: XXXX
Password: XXXX

or changed the password

Dear YYY,

You have successfully changed your password to: XXXX

There is nothing that says that those passwords is stored in plain text in the database. When you register your account or change the password you do type it in the HTML form. Hence it’s sent as plain text to the web server, which then can be used to generate the welcome email.

The only time you *might* have proof of someone storing your password as plain text is if you can request it (like a “forgot password” form). The password might not have been hashed, but it can still have been encrypted. It’s not as secure as hashing (if a potential hacker gets access to the encryption key), but more secure than storing plain text.


I’ve misinterpreted what their goal was. This page explains it.

Email using port 25 is not secure. But most email providers today uses SSL when sending and retrieving emails, which means that man in the middle attacks are not possible. You are only vulnerable for the “email attacks” if the attacker has done the following:

1. Gain access to the router that you or the web site is on (or hacked your computer)
2. Your email provider do not use secure transfers of emails (as most do today).

The chance is imho quite slim which makes this security issue trivial compared to others.

What I’m saying that it’s always important to shed a light on security problems, but don’t scare the users by making them sound bigger than they are.

  • Unless I’m mistaken, SSL is only between your computer and the mail server. E-mails are still stored as plain text on mail servers, and may even reside on more than one mail server “while the e-mail made its way between two servers”. At least that used to be true. So e-mailing passwords is a bad idea, just like e-mailing credit card information. One ISP in the province of Quebec was sending signup confirmation e-mails to new customers, with all their information including full credit card info (number, expiration date and security code). Somehow the company didn’t see anything wrong with that…!

    • Well. So you say that it’s a security risk because someone can hack your ISP, Mail Server or computer?
      If someone succeeds with any of the above you have more serious problems than a password in an email.

      • Rh


        Sending a password in plaintext in an email is very bad… there are no ‘buts’.

        1) Say you leave your webmail logged in. I search “password” and have ALL of your passwords instantly.

        2) You cannot guarantee the security of the email message, maybe you recover it securely from your mail server, but your mail server had to receive it too, and store it.

        3) email is often stored in plaintext on your computer by your e-mail client.

        E-mail was never meant to be a secure medium…

        You say it’s a slim chance… Yes. for ONE user. If a website serves millions of users, the chances that this kind of poor security practice is exploited at least once gets to be unacceptably high.

        • 1. If you leave your computer logged in you would have loads of problems.
          2. SSL is what I would like to call secure (NSA excluded)
          3. Read number #1.

          If someone actually manages to hack your email provider they could just analyze all emails, create a script which requests new passwords for the sites discovered in the emails and they would gain access to all sites either way.

          • Sven Süld

            The difference between sending plaintext password and not is that in first case you might even not know that password has been leaked (forgot to logout on a friends computer, emails stored plaintext in a random computer, a glimpse behind your back etc). In the second case its much harder.

            Or – leave keys on the door vs keeping them in a pocket. In first case attacker could enter your apartment, read your stuff or whatever and leaving everything intact without you even knowing. In second case its much harder.

            Why on earth would you even want to send plaintext password? It is meant to be private. It is like “hush-hush hiding chars tell me what password to use” and then “yo, dont forget your password was yadayada!”. You choose your password, then write it down in a secure place. Then it becomes your problem. You dont need some random website to generate more problems.