Display Password for new accounts

Discussion in 'other security issues & news' started by Jesse Salmon, Apr 13, 2016.

  1. Jesse Salmon

    Jesse Salmon Registered Member

    Joined:
    Apr 13, 2016
    Posts:
    2
    Working with our product managers and a question came up if we should display the user's password when a new account is created. The idea is to help our target customers by simplifying the signup process.

    Would you display their password after an account creation?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Jesse, first, welcome to Wilders!
    I say no.

    If there was a security breach, all the passwords would be exposed. Having to explain to customers why a company failed to secure their data would erode any trust they have on a product, or company for that matter. Simplicity can not trump security IMO.
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    @JRViejo: Your reasoning might not be clear to all. Would it be: "the system should not store actual passwords, and therefore it should not even be able to display a password after account creation"?
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    @TheWindBringeth Jesse is talking about displaying a password after an account is created, and I took that to mean: a customer goes to their newly created account profile and can see their login info. Now, if that's not what Jesse meant, he needs to clarify the question.

    As you probably know, most sites do not display passwords in an account when one goes to view it, after signing in. A site has to be able to store passwords, if one is required, yet the password field in the account profile can remain blank, until a client decides to type one in, usually if they want to change the password. If the password field displays the actual password, and there's an account breach, anyone can see that text. Even if the field has asterisks, using the Inspect Element trick, the password can be converted to text.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Yes, I have seen that. I've also seen sites that won't allow the user to view their previously configured answers to security questions. Plus some censoring of account numbers, social security number, even usernames and email addresses in some cases. I can think of some scenarios where such behavior could be beneficial.

    First to my mind, however, was something that would compromise ALL passwords in one blow. A compromise of the password database came to mind, and thus, my attempt to bring up storing salted hashed [...] passwords instead of the passwords themselves.
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    I agree completely that's the way to go, yet, we didn't get enough info from OP. We'll see what is their scenario, if Jesse returns.
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    In the mean time, and given that Jesse mentioned "streamlining signup"... the A/B testing, maximize conversions, crowd analyzes things to death. I've seen a few insist that when signing up there should only be ONE password entry field [with a show/hide link]. So that people don't have to confirm the password. That's "double" to them, much like confirming an email address is "double opt-in" to them.

    How do folks feel about this particular area? Personally, I feel all password entry fields should be hidden by default and have a show/hide button or link for those who need to see characters. Given the unique nature of password entry during signup, I feel there should be a confirm box. So that someone can enter a password without having to show it and still make sure that when the account is created it will have the correct password. Even the best typists can make mistakes, particularly when some special characters are involved. I've seen some cases where showing the password disables the second confirm box, eliminating the need to type the password twice. I'm OK with that variant, but if implementing would probably just go with two boxes that both respond to a show/hide command.
     
  8. Jesse Salmon

    Jesse Salmon Registered Member

    Joined:
    Apr 13, 2016
    Posts:
    2
    Hello all,

    Thanks for all your input. I think its best to run this through our compliance team. Does anyone know of any regulations that would prohibit the displaying of the password?

    Thanks,
     
  9. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    That's a tough one to answer, because if your company is U.S. based, and you're dealing with government customers, there's a plethora of password compliance requirements that a company must abide by, depending on your industry. And on top of that, most states have enacted legislation protecting clients' Online Privacy that companies must adhere to as well.

    You could start by looking at the National Institute of Standards and Technology for any info, however, your question is best asked of a law firm in your state, or country for that matter.
     
Loading...