I have recently logged into a website. When I clicked on the "Update Profile" page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.
There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?
When going into inspect element, they actually have the values of your password, transformed into upper case like this:
<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE">
I have also recently noticed that the case of your password or username is irrelevant when logging in - e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.
Is this a security hole and does this indicate they are storing passwords as plain text?
This is not a duplicate of (What to do about websites that store plain text passwords) as I’m asking here for clarification of whether this indicates the site is storing plaintext passwords, rather than what to do about it.
Response from the company: After pushing hard, the company confessed that they are in fact, storing passwords in plain text.