While going through my password database and giving all of my old entries a refresh I was shocked to notice the password change email that I received from the Where’s George website (remember them?) contained my new password in plain text. Good thing I used a site specific email address and password for them! (When is the last time I logged into their site, anyhow?)
So, it got me to wondering… did they just send it back to me in a plain text email (a sin), or are they storing it in an unencrypted form as well (an even bigger sin)? So, I went to their site and followed the forgotten password link, and sure enough they sent me my password again, in plain text:
Seriously? That’s a major security snafu! I thought that sites had gotten passed that ages ago!
With so many cross-site breeches in the news these days they really should move into the 2000s. Too bad my feedback e-mail bounced back and they probably won’t be answering.
EDIT: To their credit, they did answer my feedback with: “yes, we’re working on changing that.”