I spoke at a conference recently. As a presenter I was given a login to a site to upload speaker materials, read feedback, and more. The site sent me occasional e-mail reminders (need your bio, provide session description, etc.), and every e-mail included, as a reminder, my login and password. Yes, my password, in a plain old SMTP message, in clear text. Nice, huh? So I sent the organizers several messages suggesting that passwords not be sent in e-mail messages like that, and I thought the situation had improved. But … they just sent another e-mail message, this time not to me but to an events person at Macromedia (someone who helped set up this speaking engagement), and of course the message contained my login and password! Let this serve as a reminder to all to use different passwords for different apps and sites.

7 thoughts

  1. Devcon, and now Max, do this, not for speakers, but for attendees. For the last two years, my username and password has been on the piece of paper with my session schedule on it, for everyone to see, unless I tear that part of the page off.

  2. uh, please don’t quote me on this, but one way to seep security-awareness into slower craniums may be to go to another machine or anonymizer, log in, and alter your page in hilarious ways, then claim you’ve been hacked… more effective if you can talk some other speakers into it too.
    (Rephrased, an apparent act of hacking may get more mindshare than an as-yet-unexploited threat of hacking.)

  3. Robert beat me to it, but this has been routine practice at DevCon for years. Every time I pick up my packet at the registration table I mention the problem and tear off that portion of the paper in front of the desk to reinforce my dis-taste.
    I hope that this year the MAX coordinators realise that this is a Very Bad Thing.

  4. I have always used unique passwords for any sites dealing with financial or other critical data. However I do have two passwords I reuse on quite a few sites. I do this out of convenience but more and more I feel the need to use unique and strong passwords for everything. The problem is keeping track of all those. I recently discovered PINs, secure passwords manager. It is a freeware app for Windows that uses 448 bit Blowfish encoding and it has a great password generator and overall seems like a great way to manage passwords. The only downside I can think of when using PINs is that I can’t really take it with me, on a compact mobile device for example. Maybe one or two strong passwords for non-critical sites is still a worthwhile option.
    You can find PINs, secure passwords manager, at http://www.mirekw.com/winfreeware/pins.html

  5. I immediately thought of DevCon/MAX when I read this. Twice I’ve received someone else’s registration confirmation email (in addition to my own) with their password in plain text. Unfortunately, neither of the attendees were registered for the hands-on sessions I was trying to get into so I couldn’t "make room" for myself (not that I would do something like that).

  6. I’ve been using this for over a year now and it seems to work very well.
    https://sourceforge.net/projects/passwordsafe/
    Just let the program generate strong passwords and you can just cut and paste them when you need them. Treat it’s database like certificate keys and you should be fine. I use a separate file for important passwords that I exercise more care with.
    Plus, you can’t beat the price.

Leave a Reply to Robert Occhialini Cancel reply