Again.. Don’t ever think it’s alright to store passwords in plain text. Anywhere.
Catherine P.: Hello, you’ve contacted **** Live Support! How can I help you today?
Jason Hunt: Hello….
I can’t log into my account… I have reset my password and then tried
logging in with the changed credentials and it says I am now not able
to log in due to failed attempts.
Jason Hunt: username: ****
Catherine P.: Wait a minute please
Jason Hunt: waiting
Catherine P.: I’ll check
Jason Hunt: thank you
Catherine P.: Could you please provide me with 2 first and 2 last symbols of your new password
Jason Hunt: ** **
Catherine P.: You account was locked due to 6 failed attempts to login
Jason Hunt: seems an odd request… unless my password is stored in PLAIN TEXT *grrr*
Catherine P.: I’ll unlock it in a moment
Jason Hunt: thank you
Jason Hunt: and, please, get rid of plain text passwords… that is unsecure and concerning to me as a customer
Catherine P.: Now your account is unlocked
Jason Hunt: I am logged in.. thank you
Jason Hunt: please log a service request to have the passwords changed from plain text to hashed
Jason Hunt: very high priority
Catherine P.: You can chenge this password
Catherine P.: if you like
Jason Hunt: yes I can.. but what difference does it make if YOU can still read it?
Catherine P.: We can’t read it
Catherine P.: It is saved in our system
Catherine P.: We don’t have access to it
Jason Hunt: You wouldn’t have asked for the first two and last two symbols in my password otherwise
Jason Hunt: at least SOME part of my password is stored in a format that is plain text that you can read and verify. Insecure
Catherine P.: We usually don’t ask whole passwords
Catherine P.: Anyone can log in using part of password
Jason Hunt: fact is… you should NEVER have access to ANY part of the password… should be another security question
Jason Hunt: you mean I can log in with using only four characters of my password?
Jason Hunt: how secure is that?
Catherine P.: Sorry, can not
Jason Hunt: that’s better
Catherine P.: I have mistyped
Catherine P.: I’msorry
Catherine P.: and also we have secure connection
Jason Hunt: please
log a service request to have ANY portion of plain text of user
passwords removed from the services provided by ****
Catherine P.: So nobody will be able to steel your password
Jason Hunt: I
don’t care if it’s a secure connection… YOU have access to my
password… if I use it on any other site… YOUR staff could be the
ones to steal it
Jason Hunt: not that I don’t trust your staff… but I just don’t trust your staff
Catherine P.: Please write your suggestion at ****
Catherine P.: It is our forum
Jason Hunt: I think I’ll blog about it
Catherine P.: Our developers will fix it
Jason Hunt: I certainly hope so
Jason Hunt: thank you, again, for helping me with this
Catherine P.: We’ll do our best to make your information secure
Catherine P.: You are always welcome.
Catherine P.: If you have any other questions feel free to contact us again.