The (supposed) industry leading, multi-national engineering compary I work for has just implemented a new payslip system. They email a password protected pdf copy of your payslip every month.

Sounds fine so far, right? The wtf is that they also send a second plain text email, at the same time as the payslip, that contains your password. Every month.

I'm *almost* surprised by this. Although, given that the industry-leading, fantastic, brilliant application that runs the core business is based on VB6 may say something.

I seem to recall PDF passwords not being very secure, too...

 Kinda like the websites that asterix out your password as you setup your account, and then email it to you to ensure you don't forget it?

Mole:

 Kinda like the websites that asterix out your password as you setup your account, and then email it to you to ensure you don't forget it?

Because nobody cracks email accounts.

Indrora:

Mole:

 Kinda like the websites that asterix out your password as you setup your account, and then email it to you to ensure you don't forget it?

Because nobody cracks email accounts.

Of course not.  Email accounts have asterisks, too.

 

Indrora:

Mole:

 Kinda like the websites that asterix out your password as you setup your account, and then email it to you to ensure you don't forget it?

Because nobody cracks email accounts.

Or use some kind of network sniffer/ man-in-the-middle-attack to grab a copy of any mail that contains the words password/passwd/username/user etc. People ofter forget that mail is not as secure even as a letter, it's a post card where anyone handling the item can read it. I blame in part the user interfaces, for showing images of letters instead of postcards.

metallurg:

The wtf is that they also send a second plain text email, at the same time as the payslip, that contains your password. Every month.

I had a similar experience once with a salary review when I was working in a different country to my manager. He wanted to send me details of the review via email. I was pissed off with him (and about to quit anyway) so played the "email is not really secure" card to see what hoops I could get him to jump through. His ultimate response was to send the review in a password protected zip file and send the password in a separate email. For added security the password was not sent in plain text. No - he thought up a code all by himself. The password was encoded as a sentence that read "The password is name of the company backwards". And all of this sent through the companies email servers!

OzPeter:

The password was encoded as a sentence that read "The password is name of the company backwards". And all of this sent through the companies email servers!

Classy. I like it. I've had emails where the password was the name of the company (all in lower case for ease of use), but never had it backwards. I'll have to forward your message to management. You don't mind if they take the credit and run with it do you? No? Excellent. 

I should mention that the password for the payslips is really hard to work out - it's the persons surname, followed by their start date.

metallurg:

I should mention that the password for the payslips is really hard to work out - it's the persons surname, followed by their start date.

Wow; that is insecure. Our payslips are emails with attached zipped PDF files, encrypted with a randow password for strength! [All passwords are allocated by payroll and can not be changed; they consist of two [2] numeric digits. I estimate that with that level of security one would need at least a 1 minute with a 386-based PC to brute force the files; clearly we have the superior system!!]