Send someone here

Your website or application stores passwords in clear text. This is a serious problem you should fix quickly.

Why was I sent here?

This link was most likely given to you by a user of your website, who noticed that you sent them an email containing their password. Something like this:

Dear Jane Doe,

Thank you for registering with Omni Consumer Products. You can now log in with the following credentials:

username: JaneDoe83
password: wRty97/WOrp

You can change your password after logging in.

With kind regards,
The OCP Web Team

Your user is trying to tell you that this is a very serious security problem, and you should fix it.

What’s the problem?

In a secure website, or any other application managing user information, the operator should not be able to see the user’s passwords. If you can email me my password, that means you can see it too.

You can obscure the passwords by hashing them. This encrypts the passwords in your database, but still allows you to check if a user knows their password.

This practice ensures that the password information stays safe, even in the following events:

It also stops you from sending passwords over email. Email is not encrypted by default, and anybody relaying the email data between the sender and the receiver can read it.

My website is not that important. There are no payments and security is not crucial.

That makes your site a prime target for attack. Users reuse passwords. If I get access to your database:

  1. I will get an email address and a password for each user.
  2. If any of them use the same password for their email as for your site, I can access their email.
  3. With access to their email I can reset the password for any other service they’re subscribed to.

The fact that you’re not serious about the basics of security means your website is probably easy to hack, giving attackers a quick and easy place to start gathering user data.

It’s not about your security, it’s about the security of your users, beyond your website.

Our security is fine. Nobody is going to get access to our database.

Is your security better than that of LinkedIn? Because they were hacked. So were Adobe, eBay and Yahoo (twice). Most of these companies did encypt their passwords, but if they hadn’t, millions of users would have had their identities stolen.

If this is the first time you hear about password hashing, you have absolutely no reason to be confident about your security. But even if it is fine, and nobody will ever hack your site, there are many other ways this could go wrong:

How should I fix this?

The most direct fix is to implement salting and hashing for your user passwords.

However, the fact that you’ve implemented user management yourself hints at a bigger problem. There are many common security mistakes like these, and unless you’re a security specialist it’s almost impossible to cover everything.

This is why it’s important to build your websites on top of a well maintained platform or library. Platforms like Ruby on Rails, Node.js or Django are used to run thousands of websites and are maintained by hundreds of contributors. This means that when it comes to security, they can provide the attention to detail that you can’t. Put simply: if you store user information you should build your website on a popular and well-maintained platform.

Do not implement user management yourself. Use standard solutions, and use them as they’re designed to be used.

We only send users a plaintext password after a reset. The password is not stored in plaintext in the database.

That’s great, but it’s still not good practice. You should send send a reset link instead:

Finally, the fact that you’re sending out passwords still shows you’re implementing user management yourself. It’s unlikely that you’re getting exactly right. Are you salting your hashes? Are you using a strong hashing algorithm (not MD5, not SHA-1)? Here’s a good overview of most things you need to think about, but really, for something this complicated, you don’t want to reinvent the wheel.

I have more questions.

Great! This page has some more answers for you.

If your question is not on there, and you think it’s a question that other people might have too, you can open a github issue for this page. If we agree, we’ll add it to the page. If it’s specific to your situation, you can ask a question on security.stackexchange.com.

Information for users

I received my password in cleartext. What should I do?

First, make sure that the password you use for this service is not used anywhere important. Never re-use the password you use for email. Ideally, use a password manager. If possible, remove any personal information and ditch the service.

Second, you can use the form below, to send them an email. If they get only one, they’ll probably ignore it, but if they keep getting them, they’ll start paying attention eventually.

What else can I do to protect myself against sites like this?

The main security issue is the fact that users reuse passwords for different services. Of course, nobody can remember a separate password for each service they use. There are two simple solutions.

The first is to use a password manager. This securely stores a unique login for each service and you have to remember only one password: the one for your password manager. Some OSs come with a password manages (like keychain on macOS). This article gives some other options.

However, this does make logging in anywhere a bit more of a hassle. The second solution is to maintain a small set of passwords and to reuse passwords carefully. For instance:

This requires you to remember only three passwords, but it makes your data a lot more secure. If your memory is good you can extend the number of passwords. For instance, you can use a separate password for physical devices, or use a separate passwords for sites that you know are untrustworthy (like those that send you back your own password).

Send an email to an offending website

If you notice that somebody has sent you your password back, you can send them the following email. Just replace the values in square brackets.

to: [their-address]
subject: Your website ([website]) stores my password in cleartext
body: Dear Sir or Madam,

I am a user of your website ([website]). I recently noticed that you sent me my password by email. This means that my password is stored in unencrypted form in your database. This is a serious problem that you need to address quickly.

You can read why on the following (non-profit) website:

https://cleartxt.info

I hope you will read this information carefully and take steps to fix the problems with your website. If you can't, please ensure that someone who can is made aware of the problem.

With kind regards,
[your-name]
Open in email client