Forgot your password?
typodupeerror
Privacy

+ - Unencrypted passwords at "secure" sites 1

Submitted by linear a
linear a (584575) writes "I've noticed that quite a few web sites do *not* encrypt user passwords. I've gotten into the habit of hitting the "email me my password" from them to see what happens. So far I've found maybe 6 that must store passwords in clear since they were able to return the original password back to me. Clearly this is Bad Security Practice. Also, I've had notably bad progress when I ask them to fix this practice. Some of these are sites one would clearly expect to have better security (e.g., a software vendor and an online bank). Do you have thoughts on how to better encourage better password practice at these places? Also, is this is really as common as it seems to be for me?"
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Unencrypted passwords at "secure" sites

Comments Filter:
  • You're assuming that everyone either stores plaintext or stores in a password file, using hash to compare logins to the encrypted password. But you can encrypt the passwords and store them with a key that only a system process has access to, to decrypt and send them back.

The cost of feathers has risen, even down is up!

Working...