Bad security
by hub, Wednesday 26 September 2012 at 13:24 :: Web :: #834 :: rss
Broken Lock by lyudagreen, on Flickr
A big North American online travel booking system still store passwords in plain text. Worse: they claim they take your security seriously. Here is the excerpt of the confirmation email you get when you register:
USERNAME: USER@EMAIL.DOMAIN PASSWORD: We're serious about security. Since your password is confidential, we won't repeat it here. However, if you ever forget your password, you can always request a reminder
Yes, the email has been capitalized.
The other day I wanted to book some airline tickets, so I returned to the website. I had forgotten the password. No biggie, I follow the "lost password procedure" and chose the "email" instead of the still idiotic "security question".
Guess what? I didn't get a link to reset my password, or a temporary password. No. I got my password sent in plain text. Worse. It was in UPPERCASE and the passwords are case insensitive in the system. Wow. Just wow.
PS: this is not the corporate travel booking system we use at Mozilla.
Comments
Wednesday 26 September 2012 17:07, by JB :: #
Wednesday 26 September 2012 22:38, by Ludovic :: #
Thursday 27 September 2012 13:16, by hub :: #
Post a comment
Comments are closed.