PCMag and security

Discussion in 'privacy general' started by Saint Satin Stain, Feb 11, 2011.

Thread Status:
Not open for further replies.
  1. Saint Satin Stain

    Saint Satin Stain Registered Member

    Joined:
    Feb 16, 2004
    Posts:
    222
    Location:
    Huntsville, AL and Greenwich Village, NYC
    Simple. I logged in to PCMag.com and changed my password; they sent me a confirmation email with my new password. It was sent unencrypted. I sent a complaint to the complaint email address and to several writers, especially Neil Rubenking.

    Am I wrong and paranoid?
     
  2. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Sending confirmation of a updated password is normal but as a security minded (or so we think) web society we haven't got to the point where we actually encrypt email.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Way overboard, IMHO. 1. Why not email them using their feedback address? The complaint address is for actual problems, not "wish it was done this way" thoughts. 2. Sending emails to the writers isn't going to get you places. It's not likely they even see it, considering people like Neil and John there have their inbox overflowing just with rants/comments on the articles they write.

    Stick to the corporate departments, the ones who actually make decisions.
     
  4. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    You're not paranoid, IMHO. Allowing users to reset passwords is inherently insecure. Both common approaches -- emailing temporary passwords, and emailing links for entering new passwords -- rely on the non-existent security of unencrypted email. That is, they depend on obscurity. Of course, it's prudent to log in ASAP and create a private password. But if an attacker gets there first, and changes the account email address, you're pwned.
     
  5. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    No. You're not wrong and paranoid. This is a subject that I keep coming back to. Mainstream companies seem to feel that it is too difficult to provide both encrypted and unencrypted email options for their customers. Why does PC World not have an option for encrypted email? You are right to ask the question and insist on an answer.
     
  6. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    And since we're on the topic, and it's assumed I can't resist, one more thing: I absolutely fail to see why, along with pgp encrypted email, commercial services and providers cannot set up encrypted webmail for their customers, even at the most basic level, with a simple sign-up, through a service like Hushmail or Countermail. How is this worse than nothing? You know, how about just reasonable security, for the simple occasions when one isn't plotting the overthrow of the U.S. government, exposing corporate corruption, or engaged in LE? This all-or-nothing approach is ridiculous.
     
    Last edited: Feb 11, 2011
  7. katio

    katio Guest

    You are right and they, incompetent.
    There is no need to send the password back for confirmation.
    The way it should be done is:
    (this is not an actual email from pcmag, you can keep your dcma in your draft folder ;) :p)

    alternatively some sites also post a one time confirmation code which you need to enter into the site to confirm that you actually are the owner of the account and wanted to change the password and not some script kiddy who sniffed the password and wanted to lock out the true owner (because the "s" in https doesn't really exist in most cases, or does it? In their case it opens some connection to akamai.net, ah a 3rd party - how reassuring). A security concept that is based on the assumption that your email connection is encrypted and secondly, well see below:

    It's just an online magazine, I wouldn't care about any of their security. Consequently I would not sign up with an email address I care about, and not use my password that works on gmail, facebook, ebay and paypal....
     
  8. Saint Satin Stain

    Saint Satin Stain Registered Member

    Joined:
    Feb 16, 2004
    Posts:
    222
    Location:
    Huntsville, AL and Greenwich Village, NYC
    I have 12 email addresses and two of them are private personal, one for kin kith & friends, the other for some gov and banks; I have two public boxes that I will put on sites, mail to them goes through 3 spam filters: their own, forwarded to Gmail then downloaded to SeaMonkey Mail; the others are for special interests and research. Before I used this method I got spam in the public email addresses, now no spam gets through in either.

    It was one of my public boxes I used in the transactions with PCMag, but I still believe security is important. I use one of the private personal boxes for some government agencies and for banking.

    So see I have rational paranoia. I believe that PCMag is the only site or ISP to send me the password. They say, as mentioned here, did you change your password? If you didn't contact us; If you did simply ignore this. No password is included.

    I will write corporate. That's a good suggestion. Thank you all.
     
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    How do you expect them to send you an encrypted e-mail when you haven't exchanged public keys? Encryption doesn't happen automagically.
     
Loading...
Thread Status:
Not open for further replies.