MySpace: Emails My Password But Says “Keep It Secret. Keep It Safe.”
by Bob Caswell
Last month I picked on search engine Mahalo as an example of a company emailing its customers passwords. I mentioned how having your password floating around openly on mail servers can defeat the purpose of having a password in the first place. Mahalo’s founder and CEO, Jason Calacanis, joined the discussion and some good thoughts were shared from both sides of the issue.
Today I found out that MySpace is on the list of companies sending out passwords through email. I finally signed up (that could be a separate conversation, why I’ve ignored MySpace till now) and promptly got a welcome email with my password staring back at me. MySpace, though, takes it one step further and adds insult to injury by saying “Keep it secret. Keep it safe.” right below my visible password. As if I had a choice at that point, MySpace, you just made it less secret and less safe.
But, of course, I used a I-don’t-care-as-much-if-others-know password that I wouldn’t use for other “important” sites. And I’m sure that the hundreds of millions of MySpace users do the same (yeah, right). In all seriousness, though, I can see how certain sites don’t need the same level of security as others. As an example, there is an obvious difference between MySpace and your bank in terms of security.
In reality, though, there’s a wide spectrum of sites and services protected by passwords. It’s not black and white with only “banks” on the one side and “social networking” on the other. So who should decide which service deserves what level of protection? Well, in this case, it’s my opinion that it’s in the best interest of any company protecting your information with a password to avoid sending that password insecurely over email.
But assuming a world where there will always be companies that send passwords in emails, the very least they could do is tell you this before you decide on your password. That way, you’d know to what degree a company values the protection of your information before you decide on what password to give them.
One very simple implementation of this is that of a company showing you your password as you choose it. You’d then know that this should be a less important type of password. In fact, I’m not sure why asterisks are necessary to “hide” your password as you’re typing it the first time if 30 seconds later the same password previously hidden by asterisks is visible on screen in your email.
However the “less secure” message is conveyed before you create your password, is it too much to ask for this kind of disclosure from companies?
Note: This article is cross-posted at BobCaswell.com.
7 Comments 
March 5th, 2008 at 9:27 am
Thank you. This is a question which I often ask myself. Why do I receive new/reset/ forgotten passwords by e-mail? And I think this is why people often confuse certain accounts with being ‘safe enough to store sensitive info’.
Considering it may be a bit difficult to get all the big guys to change their ways, we may have to work from the bottom up. Basically, when you get your password via e-mail, change it immediately in a safe place such as a password manager (PassPack) that generates strong and unique passwords, encrypts and then stores them in such a way that only you have access to them:
http://tinyurl.com/2rtbzw
And keep in mind that re-using passwords is never a good idea.
Louise Vinciguerra (PassPack)
March 5th, 2008 at 9:50 am
Thanks for the tip, Louise. I keep meaning to try out and review PassPack. Maybe I’ll get on it and actually start being more responsible with my passwords. Say hi to Tara.
March 6th, 2008 at 10:39 am
[...] email for your password March 6, 2008 10:36 am Posted by Drew in News TechConsumer.com has an article up by Bob Caswell about web sites who email you your password. Today I found out that MySpace is on [...]
March 10th, 2008 at 9:23 am
Hi Bob!
March 10th, 2008 at 1:51 pm
[...] I joined MySpace about a week ago and was already annoyed at the way they sent me my password over email. But then, just a few days later, I got an email with my first MySpace message / friend request from [...]
March 31st, 2008 at 10:16 pm
myspace safes to keep my stuff in
May 27th, 2008 at 3:52 pm
[...] Buxr’s main draw is its method of building a community in a number of ways. To do more than just scan through deals, you need to setup an account. The sign up process is simple enough with your basic three requirements of username, password, and email. As an added bonus, they pass the first test for credibility in that they don’t send your password over email. [...]