With friends like these who needs password security?

Friends Reunited logo
I’m indebted to Clu-blog reader John who told me about an email he received at the end of last week from the social networking site Friends Reunited.

Launched in the UK in 2000, Friends Reunited pre-dated comparable sites like Facebook by a few years, giving British computer users the ability to reconnect with long lost school friends.

Despite rapid early growth, the site was overtaken in recent years by other popular sites such as Bebo, Twitter and Facebook and saw its visitor numbers dwindle. To give you an idea of how it has fallen into the doldrums, it was bought by ITV for £120 million in December 2005, but was recently valued at a mere £20 million.

It is perhaps understandable then that they might send emails to the likes of John, who signed up in the site’s early days, but barely ever logs in now.

Friends Reunited email

What particularly disturbs me, though, is that in its attempts to get dormant members to come back to the site, Friends Reunited appears to be being rather lax with their members’ password security. In the example above they’ve emailed through the last three characters of John’s password.

Was that really necessary? In some cases it’s possible that the last three characters could give an unauthorised onlooker enough of a clue to guess all of the password – at the very least it makes cracking the password that much easier than it was before.

What if other sites chose to adopt this approach and reminded their members (when they haven’t even requested a reminder) the first, say, three characters of their password, or maybe the middle four characters?

It wouldn’t take long for an identity thief to piece it all together would it?

Friends Reunited may well have permission to email its members from time to time reminders of what features the site has to offer, but they shouldn’t be sending password hints unless the users has actually requested one.