US Utilities Still Email Plain Text Passwords to Customers

An interesting article by Ars Technica highlights the dangers of re-using passwords between different websites, and claims that American utility companies are routinely emailing lost account passwords to forgetful users.

As the article points out, being sent your password by email, rather than being given the option to reset your password via a temporary one, exposes the customer and the utility to a significant risk of hacking. Firstly, because it’s a highly insecure way to run a business, and secondly, because many people re-use variations of the same password for a myriad of different online accounts.

While utility companies are not telcos, there are overlaps in the billing, assurance and security practices of utilities and telcos, especially for smaller, regional ones. As Ars Technica says, end users are not particularly concerned with the detail of how to keep their account secure, with the implication that it is therefore the business of the utility to take that responsibility.

The article says:

In reality, most companies are an awful lot like end users: they don’t know, or care, as much about security as the typical Ars Technica reader might like.

Not keeping close control over passwords is playing a dangerous game, it says:

Passwords are among the most important data assets any organization has. In much the same way, companies get fire insurance with the hope they’ll never use it, organizations must have robust hashing regimens to protect passwords in the event there is ever a breach.

Customers can’t be relied upon to be alert to their own security and hackers know this:

Most users, unfortunately, re-use passwords between different websites and Internet-accessible accounts with wild abandon. They may change it up a little bit — add a number on the end here, stick a special character in the middle there — but this doesn’t actually add a significant degree of security. Modern penetration tools (like Burp Intruder) automatically “fuzz” passwords as necessary when the attacker attempts to use them to access other, more valuable resources.

These exploitable resources include just about anything from which you can make money; eBay accounts, Amazon accounts, even World of Warcraft accounts are popular targets for an attacker looking to make a quick buck. Even more worryingly, if a user re-used their email password (or some variant thereof) to log into the compromised website, the attacker can leverage access to the user’s email account to reset the passwords to just about anything else the user accesses online. This is romper-room security stuff for 2008, let alone 2018.

Marianne Curphey
Marianne Curphey
Marianne Curphey is an award-winning freelance writer, blogger and columnist. She is a former Editor of Guardian Money online, City News Editor of The Guardian, Insurance Correspondent of The Times and Deputy Personal Finance Editor at The Times.