Passwords in Email
It happened again. I created an account to a service (a domain registrar) and their welcome email contained the password I just gave them. You might think that that is fine, because maybe they didn’t store that password plain text in their DB. Maybe they hashed it. If you are confused about what hashing means, then read this auth0 article. Hashing in short: Normally passwords are stored in the database in a cryptographically secure manner, called a hash. This hash cannot be reversed to the password. Unless bruteforced, the stronger the password, the longer it will take, potentially up to tens/hundreds of thousands years (hashing algorithm and salting also can affect the difficulty in bruteforcing). This means that if somebody hacks the database, the attacker wont get all the customers’ passwords. ...