Why Uber's plaintext password emailing doesn't deserve the fuss
Naked Security Naked Security

Uber in hot water again – this time over plaintext passwords in emails

Password resets are a necessary evil, but they're best avoided however they are done. And you don't get to use the word "hacked" if you use and reuse weak passwords!

Image of Uber on phone courtesy of ShutterstockIsabelle Berner has been taking a lot of Uber rides in the UK lately, for somebody who lives in New York City.

At least, as far as her Uber receipts are concerned, that’s where she’s been Ubering.

But as Motherboard reports, Berner hasn’t visited the UK recently.

That makes the £36 Uber receipt she saw in her inbox Thursday morning a little fishy.

Her account had, of course, been hijacked.

She immediately changed her password, sent an email to Uber support, had her account hijacked again in spite of the changed password, got ignored by Uber for hours, and finally got a note from Uber saying that yes indeedy, it looks like somebody accessed your account illegitimately.

Uber refunded all the UK charges.

How did Berner get back into her recovered account?

With a password, which was sent in plaintext in that same email.

Listen: can you hear the hiss of disapproval? After all, as Motherboard notes, the practice of sending passwords via plaintext is roundly frowned upon.

There’s even a site devoted to shaming plaintext-password-sending practitioners, called, aptly enough, Plain Text Offenders.

The problem, Motherboard notes, is that “few email providers encrypt emails in transit, which means the unencrypted emails, and all their content, can be intercepted while travelling across the internet” – a problem that Google, for one, explained last year when it noted that half of email is sent unencrypted.

Per Thorsheim, the founder of the Passwords conference, told the magazine that if an intruder gains access to an email account, it would be easy for him to search for “password”, to find messages like the one Uber sent to Berner, and get into any accounts he could.

What would be a better practice, he said, would be for the company to send an email with a one-time reset link that redirects the user to the company’s website, where he or she could change the password.

In fact, Thorsheim said, the email Uber sent to Berner proves that the company either has “no procedures for handling incidents like this, or they have an employee who doesn’t follow procedure.”

Are plaintext passwords all bad?

While it’s never a good idea to send a new password in an email – a password-reset link is safer all round – it’s past or existing passwords sent via email that are the bigger problem.

Sending old or current passwords points to the fact that those passwords haven’t been properly hashed in a company’s password database, which is a basic step in maintaining account security in the event of a breach.

If they had been properly salted and hashed, the company shouldn’t have been able to read them.

But generating a new password and emailing it in plaintext doesn’t feel quite so bad, provided the user changes the given password right away.

After all, whether crooks intercept a password reset link that lets them login and choose a new password, or intercept the password itself to login and take over your account, the outcome is similar.

Therefore, Uber’s plaintext password emailing could perhaps be excused as an acceptable special measure, but it does set a standard of behaviour that crooks can use to their own advantage.

Like banks not sending login links in emails, and software vendors not distributing updates as EXE file attachments, plaintext passwords are best avoided so that when you see one, you know something phishy is going on.

Misplaced blame?

Yes, Uber has had plenty of privacy and security incidents to blush about, but perhaps this isn’t one of them.

Hijacking victim Berner admitted to having used a weak password, so can Uber be held responsible for hijacked accounts when those account holders are using lousy security practices?

If it’s anything like one of the top bad passwords, it can be cracked in less time than it takes to type it in.

To assure that burglars can’t break into every room in your internet house, we all should be following the simple rule: One Site, One Password.

To hear more password rules and regulations, including a drill-down on password reuse, you might want to check out our Sophos Techknow podcast, Busting Password Myths.

If you’re flummoxed by cooking up and remembering a different passcode for every site you frequent, you might want to consider using a password manager. Here’s some help on how to choose and use one.

Just make sure you come up with a devilishly hard-to-crack password for your password manager.

Here’s a short, sweet video that shows you how!

Image of MAHATHIR MOHD YASIN / Shutterstock.com.