3

I registered for a webpage years ago and have been using it without issues, today I made some changes to my account and they sent me an email containing my username and password in clear text.

I sent the company an email questioning their password handling procedures, but they claimed it was watertight.

My question is: When they send me my password in clear text does that mean they are actually storing it in cleartext (or in a easily reversible cryptographic way)?

I thought the whole point was that the password was hashed in a non-reversible fashion?

Martin
  • 31
  • 2
  • Yes, it absolutely means that **they store your password in the cleartext or at least in a reversible way, e.g. encrypted.** As to whether this is secure is a completely different question, because we don't know anything else about their infrastructure and policies in place. – Karol Babioch Mar 25 '14 at 13:39
  • I'm coming to the conclusion that the password is stored in plain-text, which means that an intruder to their system would have access to every users password. The security to prevent this is unknown. The unforgivable offense here is mailing the password back to the user in clear-text. – Martin Mar 25 '14 at 13:44

1 Answers1

2

It is not as secure as it most likely should be, though there are occasional justifiable reasons for storing a password in clear-text (for example, unattended third party service access when authorization token's aren't an option).

It is certainly not secure to provide the decrypted password back to the user EVER.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Someone who occasionally comes around the site here actually runs [Plain Text Offenders](http://plaintextoffenders.com/) which attempts to shame such companies in to fixing their practices and explain to them the error of their ways. – AJ Henderson Mar 25 '14 at 13:30
  • I think the assumption that the password is being stored in the clear is wrong. At the time of password reset, the password is in the clear before it gets written to the database or passes through the encryption logic, it is at this point that the plain text password is captured and can be sent in an email. – user1587439 Mar 03 '16 at 12:21
  • @user1587439 the op stated that this was years after the initial registration. Yes, sending a new password on reset does not mean it is stored(though it is still bad practice), but sending an old password long after creation does. – AJ Henderson Mar 03 '16 at 15:41