Passwords in Peril: Preventing activation emails from compromising your passwords
As an Internet user, you are probably bound to register and create a new user account in one of the various types of web sites that require registration: Forums, technical support web sites, social web sites, newsletters, frequently-visited blogs, image sharing or file sharing services and many other types of online services. Upon creating a user account on such web sites, you’ll probably be directed to a Sign-up page wherein you are requested to specify a password for your user account; you’ll also probably sent an activation email to the email address you’ve specified which allows you to activate your user account.
Unfortunately, some incautious websites may send your passwords in plain text in your activation email!
This is a very risky practice: Emails may easily be intercepted en route to their destination. Even after reaching their destination, they may be seen by those who are not meant to; for example, a person who is in the vicinity while you are checking your email!
There are two solutions to mitigate this risk: A tactical and a strategic one. The strategic solution would be to contact the web site owner, courteously warn him of this risky practice and politely ask him not to send passwords inside emails. The tactical solution, which is a short term patch and would prove ineffective in the long run, is to specify a temporary password in the Sign-up form: Immediately upon the arrival of the temporary password in your email, you must sign in to your user account and change your password.
Of course, you may assert that there is a yet lesser-effective tactical solution too: To delete the activation email once your user account is activated! Personally, I consider this solution alone completely ineffective: A valid password, which may be intercepted, still arrives in an email and might be seen by praying eyes when you open the email for the first time, before you have a chance to delete it.