2

I recently made a complaint to a company about them sending out passwords in plain-text via email upon registration knowing that it is a potential security risk.

One of their employees responded with the following:

The security depends on the strength of your email password. This is the default in the billing system - also used by thousands of other companies. If you have problems with this, please just delete the email.

Is that a reasonable response? Is it really the default in billing systems to send out the users password in plain text by email?

I believe the billing system used by the company is WHMCompleteSolution.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
Joshua
  • 121
  • 2
  • It's not reasonable, it's ignorant. They're obviously storing plaintext or reversibly-encrypted passwords, and that's a *very bad idea*, especially considering the problem of password reuse. – thejh Apr 03 '13 at 20:25
  • 3
    *This is the default in the billing system - also used by thousands of other companies*... who are also all wrong to use this pattern. – Jeff Ferland Apr 03 '13 at 20:36
  • 1
    The standard option for you at this point is to attempt to publicly shame them into fixing their security mistakes. You should make a serious effort to convince them privately, but once the time limit is up, [go public](http://plaintextoffenders.com/). This is known as [responsible disclosure](http://www.schneier.com/essay-146.html). Here's [Troy Hunt](https://twitter.com/troyhunt/status/318993165908578304) doing exactly that [earlier today](http://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html). – Ladadadada Apr 03 '13 at 22:41
  • Thanks for all your comments, this is the response I received when further complaining and linking to articles suggesting that it is not a good idea: "This option is defaulted in WHCMS and that's how we're keeping it" – Joshua Apr 04 '13 at 12:32
  • This is what WHMCS say about it, http://forum.whmcs.com/showthread.php?41342-Password-security&p=216721#post216721. Does that make it any better? – Joshua Apr 04 '13 at 12:39

0 Answers0