Take any site like e*trade or bank of america, etc. and they all do a good job of using https and never sending your password in clear text... but... if you forget your password they will send recovery instructions to your email account. Your pop3 email username and password IS sent in clear text right? So, couldn't someone get my email password, and use it to get the password reset instructions for my e*trade account?
How are https sites secure when they all rely on an email account to reset your password?
Yes. You are correct, if someone got your email password, then went to etrade as an example, and also had your login information they could attempt to reset your password. Generally there are security questions asked before they send that new password to verify it is you. However, if it is for you, and you are afraid after someone could login to your email and get that new password after it has been sent, please keep in mind the password is only a temp password and should be changed as soon as you get the confirmation email.
Reply:I don't think they send it to you in clear text. You see it in clear text is because "yours" system decrypted it after it received the message. hope that help.
Reply:Depends on the provider. Most of the big ones (Yahoo! Hotmail etc) use SMTP over SSL, so the passwords are not sent in plain text. For example, Yahoo uses POP3 port SSL 995, and SMTP uses SSL 465.
vital statistics
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment