3

I have come across a site that on going through the password reset sends my old password to me via email.

Now we know this is insecure I see here this question and here and no doubt others.

However is there any well authoritative source saying that this is bad that I can quote to their customer services (ie quotes from here or a random blogger won't be official enough)

Ideally as I am in the UK is there anything under the data protection act or from the Information Commision that says this

Community
  • 1
mmmmmm
  • 196
  • 8
  • 2
    Ask them how they would feel appearing on http://plaintextoffenders.com/ – razethestray Aug 25 '13 at 00:23
  • They would ask what is it, and why should they be interested? – mmmmmm Aug 25 '13 at 10:43
  • Aso how can I see if they are on there (and how would they be able to find themselves). There is no search so that would just be ignored as does not look aythoriative – mmmmmm Aug 25 '13 at 10:46

2 Answers2

3

well I'd have recommended plaintextoffenders but @razethestray has already done that :)

As to DPA, I'd say that the obvious place where this practice might not match up with its requirements is that principle 7 requires that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Unfortunately the DPA doesn't provide any additional information about what appropriate means, which is (IMHO) a bit useless!

One other one is, if they're processing debit or credit cards they'd be in breach of PCI DSS requirements on storage and processing of passwords.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

If you followed the sad saga of UK Tesco last year, you would know that when people don't get it, they simply don't get it. Tesco was a plaintext offender who actually tweeted a response saying

@troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

That has since been retweeted more than 2000 times.

Beyond the problems apparent in that tweet is that many good people, including Troy Hunt, offered to help to Tesco improve their systems. Tesco never even recognized that they had a problem. Even becoming the poster child for cluelessness didn't seem to make them consider that they were doing something wrong.

Only after it became something of tremendous ridicule and hitting the tech press did the lead to some talk of investigation by the Information Commissioner's Office.

Tesco no longer emails or DMs plaintext passwords, but we have zero indication that they see any problem with how they are storing passwords.

So maybe you can point out the bad press that Tesco received and suggest that they might avoid that by trying to understand why having plaintext recoverable passwords is a bad thing.

Good luck.

Jeffrey Goldberg
  • 5,839
  • 13
  • 18