Broken Lock
Broken Lock by lyudagreen, on Flickr

A big North American online travel booking system still store passwords in plain text. Worse: they claim they take your security seriously. Here is the excerpt of the confirmation email you get when you register:

USERNAME: USER@EMAIL.DOMAIN
PASSWORD:  We're serious about security. Since your
password is confidential, we won't repeat it here. However, if you ever
forget your password, you can always request a reminder

Yes, the email has been capitalized.

The other day I wanted to book some airline tickets, so I returned to the website. I had forgotten the password. No biggie, I follow the "lost password procedure" and chose the "email" instead of the still idiotic "security question".

Guess what? I didn't get a link to reset my password, or a temporary password. No. I got my password sent in plain text. Worse. It was in UPPERCASE and the passwords are case insensitive in the system. Wow. Just wow.

PS: this is not the corporate travel booking system we use at Mozilla.