PCMag and security

Simple. I logged in to PCMag.com and changed my password; they sent me a confirmation email with my new password. It was sent unencrypted. I sent a complaint to the complaint email address and to several writers, especially Neil Rubenking.

Am I wrong and paranoid?

 

Sending confirmation of a updated password is normal but as a security minded (or so we think) web society we haven't got to the point where we actually encrypt email.

 

Way overboard, IMHO. 1. Why not email them using their feedback address? The complaint address is for actual problems, not "wish it was done this way" thoughts. 2. Sending emails to the writers isn't going to get you places. It's not likely they even see it, considering people like Neil and John there have their inbox overflowing just with rants/comments on the articles they write.

Stick to the corporate departments, the ones who actually make decisions.

 

You're not paranoid, IMHO. Allowing users to reset passwords is inherently insecure. Both common approaches -- emailing temporary passwords, and emailing links for entering new passwords -- rely on the non-existent security of unencrypted email. That is, they depend on obscurity. Of course, it's prudent to log in ASAP and create a private password. But if an attacker gets there first, and changes the account email address, you're pwned.

 

No. You're not wrong and paranoid. This is a subject that I keep coming back to. Mainstream companies seem to feel that it is too difficult to provide both encrypted and unencrypted email options for their customers. Why does PC World not have an option for encrypted email? You are right to ask the question and insist on an answer.

 

And since we're on the topic, and it's assumed I can't resist, one more thing: I absolutely fail to see why, along with pgp encrypted email, commercial services and providers cannot set up encrypted webmail for their customers, even at the most basic level, with a simple sign-up, through a service like Hushmail or Countermail. How is this worse than nothing? You know, how about just reasonable security, for the simple occasions when one isn't plotting the overthrow of the U.S. government, exposing corporate corruption, or engaged in LE? This all-or-nothing approach is ridiculous.

 

You are right and they, incompetent.
There is no need to send the password back for confirmation.
The way it should be done is:

(this is not an actual email from pcmag, you can keep your dcma in your draft folder )

alternatively some sites also post a one time confirmation code which you need to enter into the site to confirm that you actually are the owner of the account and wanted to change the password and not some script kiddy who sniffed the password and wanted to lock out the true owner (because the "s" in https doesn't really exist in most cases, or does it? In their case it opens some connection to akamai.net, ah a 3rd party - how reassuring). A security concept that is based on the assumption that your email connection is encrypted and secondly, well see below:

It's just an online magazine, I wouldn't care about any of their security. Consequently I would not sign up with an email address I care about, and not use my password that works on gmail, facebook, ebay and paypal....

 

I have 12 email addresses and two of them are private personal, one for kin kith & friends, the other for some gov and banks; I have two public boxes that I will put on sites, mail to them goes through 3 spam filters: their own, forwarded to Gmail then downloaded to SeaMonkey Mail; the others are for special interests and research. Before I used this method I got spam in the public email addresses, now no spam gets through in either.

It was one of my public boxes I used in the transactions with PCMag, but I still believe security is important. I use one of the private personal boxes for some government agencies and for banking.

So see I have rational paranoia. I believe that PCMag is the only site or ISP to send me the password. They say, as mentioned here, did you change your password? If you didn't contact us; If you did simply ignore this. No password is included.

I will write corporate. That's a good suggestion. Thank you all.

 

How do you expect them to send you an encrypted e-mail when you haven't exchanged public keys? Encryption doesn't happen automagically.