A Swedish ISP, which is one of the country’s biggest suppliers of broadband and other communications services, has been accused of sending customer passwords in plain text. This practice is not encouraged and indicates a weak online security policy, critics say.
According to ComputerSweden, customers of Com Hem have complained about the company’s practice of sending emails containing passwords of users which are in plain text and not encrypted at all. The password is sent after a customer has joined a new subscription or even when customers request to reset their passwords. The company did not deny the practice.
At the same time, Com Hem urges its customers to be cautious with their passwords.
“Be careful with your user identity and password! These are personal and should be used with caution. You are responsible for activities that take place with this identity and solution,” the company says to customers.
According to Com Hem, while it is true that they send a temporary password to a customer through email, they say they have a safety net in place. This is because they say they never send the email with password together with the username. The company said that the password is auto-generated and should be changed by the customer as soon as possible. Apparently, Com Hem thinks this is a good-enough safety net.
“You usually send a link where the member is allowed to enter a new password. You should never send a password in plain text! Do you also save the password in plain text and then blame me if there is a security problem? Should you laugh or cry about this ‘security aspect' ”, an upset customer wrote in an email to Com Hem.
When asked if the practice will continue, Joel Ibson, communications manager at Tele2 that also owns Com Hem, said that they are reviewing the policy in the future and are considering the use of Bank ID instead of passwords.
“It is true that customers who request a new password can have a temporary password sent by e-mail. In this case, we have a routine that usernames should not be entered in the same e-mail, to ensure that the password can not be associated with the user. It's a temporary autogenerated password that the customer is meant to change as quickly as possible,” says Ibson.
Another thing that made customers irate with the company is the fact that the email domain used when sending emails with passwords are not even representative of Com Hem. The email comes from [email protected] This makes some customer think that the email was not officially sent by Com Hem.
Mr. Ibson said that they are reviewing a possible solution to this. But as of now, they will continue to use the practice.