Websites that store plain text passwords

[stinkycheese]

The "forgot your password" page for a local online ticket vendor sends users their password in plain text. I just tested by making an account with a throwaway e-mail address. This is bothersome since a lot of people in the local community use the ticketing system and I can only imagine how they are storing credit card data.

I suppose they could be encrypting and decrypting the passwords, but they would have to store the key somewhere on their server.

Is it acceptable for a website to e-mail passwords in plain text to users?

Do you try to avoid doing business with organizations that don't seem to know how to store data securely?

Should I bring this up with the company?

 

[MtnMan]

Like Sony.............. oh hell no

 

[Red Squirrel]

The proper way to do it would be to store it as some kind of hash like MD5. I like to change things a little and not just do raw MD5, I might throw in some random characters in there too. I don't know if adding extra data does anything but figure it does not hurt.

To reset the password it is reset to something random, that random string is then sent in plain text to the user, and the user is forced to change it right away.

There is zero reason to store a password in plain text. It's not like you need to know what the user's password is. You just need to do the same hash operation to whatever they log in with, and make sure it matches with the stored hash. A credit card number is a bit more tricky as you need to know THAT number so you can send it to the bank, so it needs to be either in plain text (VERY BAD!) or in reversible encryption. The problem with storage of credit card numbers though is the need for them to be automatically brought in plain text, which means storing the encryption key somewhere.

Personally if I was running a commerce site I would probably just make the user enter it every time, and not store it. Though for some applications that have a monthly fee it's a must to store it. Not really sure what the proper way is. Guess the process could be semi manual, where an employee has to plug in a USB key into the server, then process all the bills at once (say, on the first of every month), then remove the key. That way if the server is compromised the credit card numbers are encrypted and the key is physically not in the server.

 

[Udgnim]

requested account information be emailed from a security provider recently

the email contained the account password in plain text

 

[Doppel]

Does this site store credit card information--complete numbers saved? If so it is almost certain they are in major breach of PCI compliance. When they get hacked they will pay unbelievably huge fines. Credit card companies have gotten very serious about what needs to be done to secure numbers. You could at least alert them to that fact and then when or if they get screwed at least they were told already.

 

[General Kenobi]

Sounds like dodgy database management at best. They're probably not big enough for people who roll with the Anonymous, but somebody will take advantage of companies that use plain text where they shouldn't sooner or later.