5

A "reputable" education company that my university utilizes for it's Physics course online materials sent my plaintext password in an email after using the Forgot Password? tool.

I know that this is bad practice and is a little disconcerting coming from a prominent "reputable" corporation.

What I want to know is if it would be prudent or worthwhile to contact the company and ask/inform them about this issue to see if they're willing to address it?

Should I take any additional precautions on their website other than using a completely unique password?

Brandon Kreisel
  • 153
  • 1
  • 5
  • 2
    There's 2 things wrong with this: a) they have access to your password (its not hashed), b) they send without encryption. This is just very bad practice -.- – SinisterMJ Oct 14 '13 at 15:07
  • What's really bad is that you (or the casual user) are likely to reuse the same password/username combo on several sites despite best practice, relying (or hoping) that it's not a problem -- after all nobody can see these since you're logging in over SSL anyway (and passwords are salted/hashed, so website A and website B have different hashes stored, though most users don't know that). Right? And now, _surprise_, it turns out your PW is stored _plaintext_ and has been been publicly visible on the network and on your mail server (and has been, like all mail, forwarded to malicious people). – Damon Feb 09 '14 at 11:27

3 Answers3

3

I definitely think it is worth telling the company how you feel regarding how they handle your privacy. I am sure management often times doesn't know the technical details or implications of password storage policy.

I have run into this twice with mixed results:

  • T-Mobile: They text you a plaintext password to your account portal when you submit your telephone # to the lost password link. They were not interested in hearing about the problem.

  • Jimmy Johns: The forgot password form was sending plain text passwords via email. I questioned the practice, and they apologized and immediately implemented a password reset code instead. I don't know whether they started hashing passwords.

It is horrible practice, and I encourage anyone to put pressure on companies doing this.

David Houde
  • 5,504
  • 1
  • 27
  • 22
3

Sure, you might as well tell them but don't get your hopes up. In my experience, if the entire IT department doesn't care about/understand security, an email from an outsider won't change that.

Using a throw away password is a good idea. If your account being compromised could affect your life outside of this site a better idea would be to not create an account at all.

If you do send an email, I would suggest sending it to the IT department as well as the CEO's office. You might have a better chance of getting something done if they are worried about getting in trouble.

Abe Miessler
  • 8,165
  • 10
  • 45
  • 72
3

When someone has forgotten his password, there is not much to build on to allow for a "password reset". Using email is weak but there is little choice.

The problem is that they send you your password as plaintext, which means that they have your password stored somewhere, unprotected. This is bad. If you are willing to point them out publicly and mock them, then you may share your experience on this site; however, people in general don't react well to mockery. Sending them an email before is worthwhile:

  • If anything else, it will boost your own ego. Playing the role of the nice guy of the story is always elating.
  • They are an education company working with a university: they should nominally know the value of knowledge and be open to suggestions.
  • They are an education company working with a university: their users are student, who are, security-wise, a scary bunch: they are young, not completely rational, prone to poke at things for the fun of it, they have time on their hands, and they have access to a lot of computing power. This highlights the need for really good security.

Anyway, reusing passwords is bad. You should already be using a specific password for their site. By emailing your password back, they demonstrate sloppy security, but it would be unrealistic to assume that average Web sites do better. One password per site is the rule. Of course this implies managing a lot of passwords; this can be taken care of with some password manager software like this one.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480