Stumbleupon password policy

September 10, 2008 in en, rant, security

I already wrote one post about passwords few weeks ago. As much as we would like to, passwords are not going away in foreseeable future. But it seems I found something worth mentioning again :)

Recently I started using stumbleupon. For those who don’t know this site I provide short description from their main page:

StumbleUpon discovers web sites based on your interests. Whether it’s a web page, photo or video, our personalized recommendation engine learns what you like, and brings you more.

It’s basically social networking site for link rating and exchange. It’s a nice way to discover yet unknown gems of the Interweb. Just stumble around :)

Here’s what sparked my interest. After registering with the site I received following email:

StumbleUpon

Discover new web sites

Hi xxx,
Thanks for joining StumbleUpon! Please click here
to verify your email address:

http://www.stumbleupon.com/verifyuser.php?email=3Dxxx%4=0gmail.com&verification=3Dd6z505kjmtjox3

Here are your login save this information and
store it securely:

Email: xxx@gmail.com

Password: MY PASSWORD IN CLEARTEXT

...
...

What the hell are they thinking? Sending cleartext password through email is not acceptable for quite a few years now, especially for large public websites. There are other options when users forget their password, for example:

  • resetting password to random one that is usable only once,
  • using control questions, i.e. “What was the name of your first pet?”. They are not very secure, but still better then cleartext passwords.
  • lots of other options (google training for the readers :) )

Maybe they count on Stumbleupon being low-risk site, where losing account is not dangerous to your online identity. But they obviously forgot that most users use the same password over and over again. So their password for Stumbleupon will be the same as for their Gmail account, and that will be the same as xy other passwords. I am only fortunate that I stopped recycling passwords long time ago. Shame on you Stumbleupon!