[DEV] Send login details as image (not plain text)

[Martin]

I've just had a delightful email from a potential customer, who frankly needs his attitude surgically removed but the underlying point made is still valid..

you send my email address AND PASSWORD for this site straight
across the net IN PLAIN TEXT

all it takes now is for some di*k head
to log into this site with MY details and he now has MY FULL contact
details , phone number, and enough info to start scamming me

Aside from the lack of capitalisation (or ability to provide constructive feedback without resorting to hurling abuse) the point is valid so I'm looking at putting together a two stage process that sends the login/username as text and then produces the login and password information as an attached image. This should then stop any automated attacks that intercept email details at least.

[Martin]

Found a solution and started using it on my site...

If/when I get some time I'll put it together as a proper modification with instructions and get it released.


The only real question at this point is whether I should be creating a JPG or GIF instead of a PNG for the image format... Thoughts anyone?

[kurt]

Seems like overkill to me. Just don't send the password at all. If the customer forgets it, they can just use the forget password procedure.

[Martin]

Seems like overkill to me. Just don't send the password at all. If the customer forgets it, they can just use the forget password procedure.

I have quite a few retired customers so overkill in this instance works for my customer base. Worth noting that the forget password has similar issue if the snooper knows email = login/user.

That said your approach covers most evils...

[Tony Barnes]

We've had this in the past, I simply reply saying it was a fairly standard proceedure, we follow PCI compliance so do not hold any payment details so they are at no risk of fraud, and that if someone were to break into their email account and gain control, that they would be able to request passwords from every site they are registered to anyway, as such it is a pretty null and void complaint.

I like it when I get my username and password in 1 email, saves a lot of effort when on different machines/being dim !!!

[Martin]

We've had this in the past, I simply reply saying it was a fairly standard proceedure, we follow PCI compliance so do not hold any payment details so they are at no risk of fraud, and that if someone were to break into their email account and gain control, that they would be able to request passwords from every site they are registered to anyway, as such it is a pretty null and void complaint.

I suspect the issue they had/have is that they expect someone to packet sniff their emails and intercept the information that way. It's actually a feasible approach and can be done if someone is able to intercept those packets of data but to be honest it's bordering on the paranoid.

That aside, I'm aware that quite a few of my customers have hotmail, yahoo and similar accounts that have been brute forced with dictionary attacks (my wife included - which was a long, painful lecture for her!). What's rather scary about the process used is that it uses the authentication to test against other email accounts (and possibly eCommerce sites) then subverts those as well. My wifes yahoo account was forced and then the same authentication was successfully used against her other email address under one of my personal domains so they obviously scrape the email/address account and an automated process tries out the authentication on those as well. Rather clever and very insidious stuff!

It's never going to stop a REALLY determined manual approach that backs up the bot but the image approach does reduce the automation side considerably.

Anyway, in this instance I dealt with the problem and I'll be putting a mod' up at some point, if there's time...

I like it when I get my username and password in 1 email, saves a lot of effort when on different machines/being dim !!!

You? dim? Never?.... well.. much...

[Tony Barnes]

I guess the automated scripts are gonna have an easier time of things, image does sound like a nice compromise

lol, how hard was the wifes password..??

Had a funny one on another forum, one of the girls, Liz, posted a link to a page that had come up when she searched her email address, I had a look, sure enough, there was her email address, and password.... So I logged in and sent her an email suggesting she might want to think up a better password - 'lizzy' not really cutting the mustard..

Did really make me laugh how she actually purposefully spread hew password even further without cottoning on

[Martin]

Did really make me laugh how she actually purposefully spread hew password even further without cottoning on

How does it go?

Every time you make something idiot proof, they go and make a better idiot

[Tony Barnes]