Is there a safe way to send a user their password in clear text via email?

Question

If I understand correctly, the biggest problem with sending a password via email is that it requires the password to be stored in clear text in the database. If the DB is compromised, the attackers will gain access to all accounts.

Is there a workaround for this problem?

How can one make sending a user their password via email as safe as possible?

Answer 1

The simple answer is: don't. If you think your database is insecure, an email is far, far less.

If you mean that you want to send them their password when they register, then you could do that before you store it in the database, but you shouldn't.

If you mean after they have registered, the only option is to store in plaintext (again, don't do this) or make a new, random password and send them that. It is impossible to get their password from the hash, which is why it makes the password storage safer. The best option is to generate a new (temporary) password you send them, or a token giving them access to a password change system.

You may want to consider a good hashing algorithm like BCrypt that includes a salt.

Answer 2

There is a workaround which is less secure than a password reset but works if it is a requirement that users are sent a password, not a reset link.

What you do is you generate a new password that contains sufficient randomness to be very hard to guess, but is also formatted in a way that it is easy for them to remember and read out (say over the phone).

Something like: xyz-xyz-xyz-nnnn where xyz is an easy-to-spell but uncommon word and nnnn is a four digit number.

Then set it up so that this is a temporary password that needs to be changed on first login.

Set the password using the same logic you would use to set a normal password, so that it is correctly salted and hashed, and then send the password plaintext via email, like so.

Dear FirstName LastName,

You requested we reset your password.

Your new password is:
insipid-mirth-nonplus-9174

You will be able to log into the system once using this password, then you will need to enter a new password.

Important Caveats

This system has some serious vulnerabilities which make it unsuitable for websites where data security is crucial. There are more than these, but these are the ones I know/can think of:

1. Unlike systems which use a password reset link, this system could be used to lock someone out of the system (assuming you use it as is) unless you either require someone to fill out identifiable information before issuing the password reset, or send a "are you sure you want to reset your password?" email first. This would entail them clicking on a link with a GUID that goes to the server; at that point they may as well be sent to the password reset form anyway.
2. Since the password is being sent plain text via email, there is a danger it can be intercepted and the password can be used. Although to be fair this is not that much different than the risk of sending a password reset link.
3. If you ignore the risks in step #1 and you don't use a sufficiently random way of generating passwords (say you use a word list of fewer than 1000 items), someone who has hacked into your server will be able to retrieve the salted password hash and then write an algorithm that generates all possible passwords and checks them against the hashed password. Not as much of a problem if you use a cryptographically complex hashing algorithm.

Answer 3

If you want to send password to user via Email in cleartext and want to store those password into database as hash or any other format . It will be possible.......

Just you will have to follow some simple way....

1 .you will have to take those password as variable which will send from user.
2. When you store database then just convert it as you wishes format.
3. But when you send those to user by mail , That time just sent those variable password...

I think it will be helpful to build your concept about WAY.......

Answer 4

Yes, there is a common workaround.

Assuming that you have your users in your database.

You send the "password reset link" containing some "key" information, like a guid. An example link is a form:

http://your.site.com/setpassword?id=5b070092-4be8-4f4d-9952-1b915837d10f

In your database you store the mapping between sent guids and emails.

When someone opens your link, you check your database and you can find out who asks for the page - because any valid guid maps to an email. You can then safely let the user change his/her password assuming their email is not compromised.

When it's about to store the password, you never store it in plain text, you always hash passwords, using additional random salt to make the dictionary attack more difficult when someone breaks into your database.

Answer 5

You should be hashing all passwords in your database.

sha1($_POST['password'].$salt.$username);

In the case of a lost password

A user requests a password reset link, which contains a hash generated in the "user_meta" table. When the user recieves this link, the hash is compared to that in the database, and the user will be able to UPDATE their current password with a new password.

The PTXT of the password is never reveiled.

You only compare hashes.

Answer 6

I don't know if my suggestion is feasible for your scenario, but you should better keep the data hashed or encrypted and send password reset links instead of plain-text passwords.

Answer 7

The moment the password is in cleartext in the email, it is inherently insecure.

As such, there is no safe way to send a password in cleartext safely.

You should not be storing passwords in cleartext in your database - you should be using salted hashes. When the user enters their password, you hash it with the salt and compare to the stored hash.

When people forget their password, instead of sending passwords by email, you should send reset links backed up by expiring tokens. These would generate a temporary new password (that would expire within minutes).