I recently had to reset my password on a Internet service I use.
As usual, the process asked me for my email address, and said it would duly send me an email with reset instructions. No problem there.
The email arrived, with a link to click. Fine.
I clicked the link, it took me to a password reset screen, that is not unusual. There was a box on the screen asking me to enter a new password, fairly common.
However, to my horror – there in plain text, in full view, was my OLD password, helpfully entered into the new password box.
Showing the password is bad, but the unforgivable part is the fact it knows my password. It has been best practice for sooooo long now to hash passwords, using a one way function. This sites password database is just siting there waiting to be hacked and reveal everybodies passwords.
I would normally urge a boycott of such sites, until security practice improved. By sadly, this is a site I have no choice but use to perform elements of my job. Needless to say I have alerted the provider and will monitor their progress in resolving the issue.
Have you had similar experiences? Please record your examples of similar bad practice below.