griping about a “password” system

Main menu:

Topics

Recent Posts

Feeds

RSS Feed RSS - Posts

April 2015
M T W T F S S
« Mar   May »
 12345
6789101112
13141516171819
20212223242526
27282930  

Past Posts

Java/Java EE

JDBC

Other

griping about a “password” system

April 28th, 2015 by Jeanne Boyarsky

I emailed a company today asking for my account to be linked. I did NOT ask for a password reset. What I got was an email with plain text copy of my password. Aghhhhh! That’s just asking for someone to hack my account (or all the accounts.) Passwords should be stored using a one way hash at least.

Problem 1 – username

My user id is not my last name, email or anything I have any shot of remembering. And I didn’t get to pick it. Which means it is written down.

Problem 2 – storing the password in plain text

This company shouldn’t be storing passwords in plain text or any “encoding” where they can get the original password. And the only thing I can think of to make that worse is to email the password.

Problem 3 – password requirements

Since my password was sent in the clear, I went to change it. I wanted to make it a sentence about not emailing the password. That way if someone does it again, he/she at least has to read my note. I changed the letter s to $ in my sentence as one might expect. Guess what? Only letters and numbers are allowed.

Really guys? It’s 2015.

Write a comment