---------------------------------------- | |
Plaintext passwords | |
May 12th, 2020 | |
---------------------------------------- | |
A recent set of exchanges on the fediverse reminded me that | |
there's still plenty of poorly run websites and institutions who | |
are still storing user credentials in plain text. Yes, unencrypted | |
plain text. | |
I remember the horror in my heart back in 2008 when I was trying | |
to learn about virtual credit cards from my bank (a cool idea | |
which went away for no good reason). I was on the phone and the | |
customer service representative asked me for the 3rd and 5th | |
letter in my password to verify my identity. | |
Did it hit you too? Did that little pit in your stomach open up | |
like it did for me? How could this person know a specific | |
character in my password? | |
Needless to say, the conversation I had with the bank that day | |
quickly changed. I wish that was the only time I had the | |
experience, but it happened a second time in the same year in | |
a conversation with Fidelity, who ran my 401k at my job at the | |
time. In that case I was stuck. I couldn't choose to move my 401k | |
to another provider. Thanks America. | |
Anyway, there's a ton of these places including a downright scary | |
number of banks (looking at you Tesco). I figured gopher needed | |
some place to reference the list of shame, so I made one [0] over | |
in my Experiments section. There's a link over there to the master | |
list managed in github as well. If you have others to add, make | |
a PR and help shame them. | |
[0] List of sites storing passwords in plain text |