Wednesday, September 06, 2006

Email Security

So I get the following email from one of the journals for which I am on the editorial board:

Dear Prof. Munger,

We appreciate you reviewing for the Journal of Rectal-Cranial Inversion. The journal will now be published by BANGALORE CORP. As the new editors we would like to invite you to go to our submission website, http://mc.manuscriptlosing and update your account by using the following user id, munger@college.EDU. To retrieve your password, please enter your email address into the Password Help function on the log in page. For security purposes we have not included your password in this email.

We greatly value your time in the all important process of reviewing and look forward to working with you in the future.

Let us know if you have any further questions.

Prof. Thing One and Prof. Thing Two
Editors of JRCI

So, I go to the website, and enter my email address. I could see what was coming, but refused to believe it. And then it happened: the publisher website sent me an email....AN UNENCRYPTED EMAIL!...with my password.

Immediately, I send the editors an email, asking how an email from a publisher is more secure than an email from the editors, which would have saved me several minutes updating my account. Haven't heard back yet.....will advise.

UPDATE 1: Got this email from manuscript losing software program:

Dear Prof. Munger:

This e-mail has been automatically generated per your request.

Your USER ID is munger@college.EDU
Your single use password is bitemedo45
Please note that this password will expire on Sat, 9 Sep 2006 18:52:05 GMT / Sat, 9 Sep 2006 14:52:05 EST.
If this password has expired, you can generate a new one by entering your email address into the 'Password Help' function on your site log in page:
When you log in with it you will be prompted to set a permanent password.

Yep, that's MUCH more secure than an email....


James said...

Oh, come now. You know very well that security can mean many things, ranging from an objectively decreased risk of some undesirable event to a subjective feeling that "bad things won't happen to me." From context, the only reasonable interpretation is that the publishers of this journal meant security in the latter, feel-good, sense of the word. You are just being an overly literal intellectual bully.

(Yes, I'd kidding.)

Michelle said...

I received the same email, but promptly deleted it. If they want me to review again, they can set me up a new account. Likewise, if I submit something. Why would I want to make it easier for them to ask me to review AGAIN?

mungowits said...

James is kidding, but he speaks truth.

Michelle....DAMN! She's right. I'm a patsy.

I'm going to go sulk now.

Dirty Davey said...

I must point out two key distinctions between the first message and the second:

First, you explicitly requested the second message, meaning that you intended to view it and act on it in short order.

Second, the password provided is for one-time use and has a fairly quick expiration.

To my mind, there's a big difference between:

(a) creating an account and non-expiring password and sending that information in an unsolicited, unexpected email message, and

(b) emailing, unencrypted, a one-time, expiring password in response to an explicit user request.

Exploiting the former would simply require an evildoer to get a copy of one message (among many sent) before an intended recipient got around to acting on it.

Exploiting the latter would require intercepting the message in real time and using the password before the intended recipient read it and used it (and before the natural expiration).

In this case, the message with the password is not functionally different from one of those long, complex URLs that many sites send in response to a lost password request: the URL in the plain text of the email allows the recipient to log in and set the password just as does the plain-text password you received.


mungowits said...

Hmmm....that seems like a pretty good argument, DD! Thanks....

Email Security Solutions said...

Excellent! Great Argument..... Best Wishes