My web hosting package was due for renewal today and I received this email (yeah, I’ve redacted some information to protect me and the people in question); I was quite shocked with the content of the URL that was in the body of the email;
Yes, you read that right, they sent me an (insecure) email that contains in clear text everything you would need to access my account with that provider. Why bother with that https:// at the beginning of the url if you’re going to stick my username and password in the text of the email body too! You don’t need to try and bypass SSL and watch what is being sent to the site, all you need to do is get hold of the email being bounced (insecurely) around SMTP servers and you can have full unadulterated access to my hosting package! (and possibly more – read on!)
I don’t mean to pick on these guys, they aren’t an isolated case, and other people have articulated why this kind of thing is REALLY bad better than I can so I refer you to Jeff Atwood’s articles on “The dirty truth about web passwords” and his post about “The internet drivers license”.
Update: Forgot to add this link in; Smart enough not to build this website