griping about a “password” system

I emailed a company today asking for my account to be linked. I did NOT ask for a password reset. What I got was an email with plain text copy of my password. Aghhhhh! That’s just asking for someone to hack my account (or all the accounts.) Passwords should be stored using a one way hash at least.

Problem 1 – username

My user id is not my last name, email or anything I have any shot of remembering. And I didn’t get to pick it. Which means it is written down.

Problem 2 – storing the password in plain text

This company shouldn’t be storing passwords in plain text or any “encoding” where they can get the original password. And the only thing I can think of to make that worse is to email the password.

Problem 3 – password requirements

Since my password was sent in the clear, I went to change it. I wanted to make it a sentence about not emailing the password. That way if someone does it again, he/she at least has to read my note. I changed the letter s to $ in my sentence as one might expect. Guess what? Only letters and numbers are allowed.

Really guys? It’s 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *