Revelations of a Password Reset

21 Feb

I recently had to reset my password on a Internet service I use.

As usual, the process asked me for my email address, and said it would duly send me an email with reset instructions. No problem there.
The email arrived, with a link to click. Fine.

I clicked the link, it took me to a password reset screen, that is not unusual. There was a box on the screen asking me to enter a new password, fairly common.
However, to my horror – there in plain text, in full view, was my OLD password, helpfully entered into the new password box.

Showing the password is bad, but the unforgivable part is the fact it knows my password. It has been best practice for sooooo long now to hash passwords, using a one way function. This sites password database is just siting there waiting to be hacked and reveal everybodies passwords.

I would normally urge a boycott of such sites, until security practice improved. By sadly, this is a site I have no choice but use to perform elements of my job. Needless to say I have alerted the provider and will monitor their progress in resolving the issue.

Have you had similar experiences? Please record your examples of similar bad practice below.

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: