I used to login into a certain website a couple of years ago. Recently I've got an email suggesting that I should renew my membership, and that email included my old password. That's right, my old password was emailed to be verbatim over SMTP.
That implied two things:
They store passwords as unencrypted text rather than one-way hashes, which makes all current and former members' information very vulnerable.
They send around those passwords in unencrypted emails, which makes their members' information extremely vulnerable.
So I went on your website to see whom to contact regarding fixing these security bugs, and, to my surprise, found these gaping security holes were there by design! Specifically, I clicked the button to remind me my password and got this email:
You, or someone posing as you, has requested a password reminder for your membership on the mailing list "the website".
....
You are subscribed with the address: "my email, unencrypted"
Your "the website" password is: "my old password, unencrypted"
So sent an email to the webmaster listed on the site; unfortunately the email bounced back as undeliverable. I am not employed at that site, but I find is difficult to ignore the issue because that would be leaving thousands current and former users very vulnerable. The website is not a local general store, it belongs to a well-known (among software engineers) lab at a major university and may have thousands of user accounts.
Thus the question: what further steps can/should I take to improve IT security there?
