Question
I recently forgot my password for a site and went through their support process for resolving this. They emailed me my original password, in plaintext.
I sent them a scathing email stating that email is not a secure transmission protocol and that by sending me a plaintext version of my password they've indicated they're not storing a hashed version of my password. I went on to say that anyone with access to their database or who hacks their system would have access to the passwords.
Are these assertions correct?
Solution
Yes, your assertions are correct.
While we can't be sure that they store the password in a plaintext format, it is clear that it is stored in a lossless form, and that it is possible for them (and potentially an attacker) to work out the plaintext password.
In any case, this is poor security.
One approach you, the user, can take to mitigate against such risks is to assign each site a unique random password. There are plenty of software tools that allow you to manage such passwords.
OTHER TIPS
If it was your original password then it's probably insecure. They might be encrypting it, but it's unlikely. And even if they were, encrypting passwords is only a bit better than saving them in plain text.
https://stackoverflow.com/questions/15739172
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian