User Avatar Image

Telltale emails password unencrypted

posted by professor on - last edited - Viewed by 124 users

When I created a new user account, telltale sent me an email with my password unencrypted. I would hope that you would take security more seriously. Do you guys even encrypt the password in your databases?

5 Comments - Linear Discussion: Classic Style
  • Thanks for writing. I brought this up with our tech guys and they let me know the passwords *are* encrypted on the server, although in a reversible format.

  • I think he's complaining that an unencrypted password is sent in unencrypted E-mail, so his E-mail provider could peek and get his top secret Telltale password.

    I've noticed for a long time that the sign-on in the corner is not encrypted (https, no lock icon), which keeps me from signing on in public Wi-Fi spots (anyone in the place could get my password by monitoring the network).

    However, on the plus side, Telltale doesn't store credit card details, so if someone were to get into my account, what would they do? Post obnoxious messages? Play my games? Well, maybe, but all that can be cleaned up pretty easily, and you guys and gals are receptive enough that I'm confident you'd help out if that ever really happened. So I don't worry about it too much.

    Now if you guys started selling pay-per-play games with payment details stored, I would be more concerned. If you ever decide to move into that area, you should revamp your security.

  • Thanks for the update.

    I generate a unique password for each site that I use, however, several friends of mine do not do this. They use the same password with telltale as they do their amazon.com account and their bank account. We can blame the users, but as engineers we should build good systems around "stupid" user behavior. It is considered very bad form for a website to email the user their password as any machine between my machine and your machine can read that password and any machine on my network can also read that password. For example, if your user is a student in a dorm, then anyone else in that dorm now has their password. Yes, they probably can't do much damage logging into telltale. At the minimum it appears unprofessional and gives the impression that security isn't important here. At the maximum, I would imagine that it is a legal liability. (Of course, I am a software developer, not a lawyer.)

  • The worst part is that TT even knows it's stupid to send passwords in plain text. I just registered and got my password via email. The email includes this text:
    "Yes, we know, they're printed in huge green text legible from across the room."
    So they know and admit it's a liability, but they do it anyway. I changed my password, curious to see if the new one would also be sent in plain text, and the text in that email says:
    "Your New Password: ************ (hidden for security purposes)"
    So again, they know it's a stupid thing to do, but purposely do it first time round.
    *shakes head*

  • When we built the current account system it was an internal requirement from our boss at the time to display passwords in a human readable format on the sign-up email. It's never been seriously addressed again in the 4-5 years since then.

Add Comment