Naming and Shaming the Plaintext Offenders

It was a fitting end to a week dominated by news of password breaches at major Internet companies. I’d sent a password reset request to a hosting provider I’ve used for years to host a file server online, and received an alarming response: The company sent me my password in plain text, all but advertising that they have zero regard for the security of their customers’ private information.

The site was used to store inconsequential files and images, but I cancelled my subscription nonetheless because the company’s response to my password reset request proved that they were storing my password without even making the weakest attempts at encrypting the information or storing it in a protected format.

Sadly, this practice appears to be quite common, particularly among low-cost hosting providers. I confronted the company, Hosting Metro, about its practices, but received no material response to my complaints aside from an automated “sorry to see you go” email.

I also submitted a redacted screen shot of the password reset email to plaintextoffenders.com, a site that regularly posts user-submitted images of password reset emails from companies that exhibit a complete lack of regard for customer password security. I would encourage all readers to do the same for any site that sends passwords in the clear.

Like many previous visitors to plaintextoffenders.com, I was surprised to see that the site’s search function does not work. The administrators of the forum seem to be aware of this, and have noted that visitors can search by company name via Google, by using the search convention “site:plaintextoffenders.com” followed by a Web site or company name. I would welcome the development of a browser plugin that uses a database of offending sites to warn users when they visit a site that practices unforgivably sloppy password security. Naming and shaming may be the only way to change this all-too-common practice.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s