Ever forget your password on a website?
Yeah, thought so. Ever hit the “forgot password” link on a website and got your password emailed back directly to you?
If that’s the case, it means that website saves your password in plain text so that they can email it back to you. This is a terrible security practice for a few reasons:
- Email is not a secure protocol, so even if you use a secure protocol to log in (HTTPS), when your password is emailed it becomes exposed to the world.
- If that website is hacked, your password will be quite available and visible to the attacker.
- Even if the website is not attacked, your password is available to anyone who has access to the website and the application. Do you trust every employee of that company, and of the data center that they’re hosting in?
I recently became aware of a site that is designed to shame websites that adopt this practice. plaintextoffenders.com
So if you encounter a website with this practice, do yourself two favors:
- Ensure you don’t share that password with any other account on any other website. You should assume the whole world already knows that password.
- Submit the email to plaintextoffenders.com and help shame that website into changing their ways!