While going through my password database and giving all of my old entries a refresh I was shocked to notice the password change email that I received from the Where’s George website (remember them?) contained my new password in plain text. Good thing I used a site specific email address and password for them! (When is the last time I logged into their site, anyhow?)
So, it got me to wondering… did they just send it back to me in a plain text email (a sin), or are they storing it in an unencrypted form as well (an even bigger sin)? So, I went to their site and followed the forgotten password link, and sure enough they sent me my password again, in plain text:
Seriously? That’s a major security snafu! I thought that sites had gotten past that ages ago!
With so many cross-site breaches in the news these days they really should move into the 2000s. Too bad my feedback e-mail bounced back and they probably won’t be answering.
EDIT: To their credit, they did answer my feedback with: “yes, we’re working on changing that.”
With all of the recent security breaches I’ve been trying to improve my password practices, especially on all of those sites where I used simple “throwaway account passwords”.
For about a year now I’ve been using KeePass for managing my passwords and generating stronger passwords. It’s very nice for that purpose and allows me to also keep track of those pesky security questions, etc. The problem is, it’s not very well integrated with the browser, etc. Sure, you can install a bunch of plugins, but it’s a pain and still leaves you either running various clients on various platforms of varying quality (often in Mono, which is barely a solution, to say the least), or with poor usability.
1Password looks beautiful and looks very powerful, but it doesn’t support enough platforms and is very expensive, so I haven’t even really given it much attention.
That leaves me considering LastPass. It has great integration on almost all platforms, browser plugins, widely supported, etc. I really like it, but can’t bring myself to use it because of a few fatal (IMO) flaws. If they’d just address these flaws I’d be willing to make the jump and pay for their service:
- They use the same password for your vault as for the normal account maintenance login. That feels like a major weak point.
- They require you to re-enter your password to “change identities”, but don’t allow different passwords for different identities (or, better, completely separate vaults. I want to be able to set it up to have my more secure passwords protected behind a much stronger password that is harder to type, but an easier to type password for my less important identities.
- They don’t allow you to store your vaults off-site. While they’re theoretically safe if somebody gets ahold of it, they’re still a major target. Being able to store my vaults somewhere else gives me at least a (possibly false) sense of security by the fact that the location is known only to me.
Given how cheap their service is and how nicely their stuff integrates into all of my browsers (even mobile w/ Touch ID integration!) I’m considering using them for my less important “everyday” passwords, but continuing to use KeePass for my more secure passwords that I don’t access nearly as often.
What are your thoughts?