 |
---------------------------------------- |
|
Plaintext passwords |
|
May 12th, 2020 |
|
---------------------------------------- |
|
|
|
A recent set of exchanges on the fediverse reminded me that |
|
there's still plenty of poorly run websites and institutions who |
|
are still storing user credentials in plain text. Yes, unencrypted |
|
plain text. |
|
|
|
I remember the horror in my heart back in 2008 when I was trying |
|
to learn about virtual credit cards from my bank (a cool idea |
|
which went away for no good reason). I was on the phone and the |
|
customer service representative asked me for the 3rd and 5th |
|
letter in my password to verify my identity. |
|
|
|
Did it hit you too? Did that little pit in your stomach open up |
|
like it did for me? How could this person know a specific |
|
character in my password? |
|
|
|
Needless to say, the conversation I had with the bank that day |
|
quickly changed. I wish that was the only time I had the |
|
experience, but it happened a second time in the same year in |
|
a conversation with Fidelity, who ran my 401k at my job at the |
|
time. In that case I was stuck. I couldn't choose to move my 401k |
|
to another provider. Thanks America. |
|
|
|
Anyway, there's a ton of these places including a downright scary |
|
number of banks (looking at you Tesco). I figured gopher needed |
|
some place to reference the list of shame, so I made one [0] over |
|
in my Experiments section. There's a link over there to the master |
|
list managed in github as well. If you have others to add, make |
|
a PR and help shame them. |
|
|
 |
[0] List of sites storing passwords in plain text |
