- Feb 28, 2003
- 17,948
- 34
- 91
Without getting into too many specifics here is what the situation looks like...
I had to request an additional ID card for a second user on a certain type of account (not a credit card). The vendor notified me that it would be a couple of weeks but the ID card would be there as soon as they could get it to me.
Anyway, the card arrived as expected but also included a piece of paper with the following:
1) Blah blah text body of letter
2) User name (written in pencil!)
3) Password (written in pencil!)
Here's the thing. The password was my actual password that I set up myself. Not some system generated password that I would need to use and then reset once I log back in to the site. (I don't duplicate passwords across sites anymore but do recognize the pattern of this password so know it's mine.)
So on the surface, this seems to be a huge security flaw to me, especially for those who do still use the same password across multiple sites.
Would ATOT agree with this assessment? I'm no expert but it just seems like a huge security gap where basically any employee could get any users password. The scary thing is this is not a small company and they are actually connected to a much larger/massive company. I just don't know if it's directly connected using the same infrastructure or just linked to the larger company via redirect.
I've got a good contact at this company that I do plan to approach about it. But just wanted to check here first to see how bad this seems to be. I could very well be overreacting...
I had to request an additional ID card for a second user on a certain type of account (not a credit card). The vendor notified me that it would be a couple of weeks but the ID card would be there as soon as they could get it to me.
Anyway, the card arrived as expected but also included a piece of paper with the following:
1) Blah blah text body of letter
2) User name (written in pencil!)
3) Password (written in pencil!)
Here's the thing. The password was my actual password that I set up myself. Not some system generated password that I would need to use and then reset once I log back in to the site. (I don't duplicate passwords across sites anymore but do recognize the pattern of this password so know it's mine.)
So on the surface, this seems to be a huge security flaw to me, especially for those who do still use the same password across multiple sites.
Would ATOT agree with this assessment? I'm no expert but it just seems like a huge security gap where basically any employee could get any users password. The scary thing is this is not a small company and they are actually connected to a much larger/massive company. I just don't know if it's directly connected using the same infrastructure or just linked to the larger company via redirect.
I've got a good contact at this company that I do plan to approach about it. But just wanted to check here first to see how bad this seems to be. I could very well be overreacting...
Facebook
Twitter