Websites and cleartext passwords

The other day, I received an email from my company insurance provider's third-party administrator, asking me to review and update my dependant details. 

No issues with the email, but for one detail.  It contained not just my login, but my password (in cleartext) as well.  What this indicated is, my password was being stored in cleartext in their system/database or whatever. 

This website is arguably not an important one, since it allowed just registration and printing of e-cards, but that does not rule out someone doing some mischief like updating/deleting data using my credentials.

The more harmful issue is if you use the same password for your Banking or other more critical websites.  A malafide person can use this information to gain access to your account in these sites.

Interestingly the website of this TPA used https/SSL for protection.  The purpose of this is defeated if the site sends cleartext password in emails!

Perhaps websites should publish the information if they are indeed storing passwords in cleartext, so that users can choose their passwords suitably.

Comments

Popular posts from this blog

Opening a safe deposit locker in SBI

Opening a Kannada Word document

Automating a cordova ios build