|
LowfatMatt wrote:
I assure you, all passwords ARE encrypted in our database.
As far as the password retrieval / reset process, that is changing soon.
Good to hear (the second part). As far as whether or not they are "encrypted", if the system can email me my password in plain text, a hacker (or disgruntled employee!) can get it as well.
Why does this matter?
1. Many people use the same password for multiple accounts, even though they shouldn't. A hacker steals username/email/password combos from your database and tries them on various bank websites.
2. The fact that you don't salt & hash passwords is a poor security practice. If there's one security hole (especially such an obvious one), should we trust you with our credit card info?
So thank you for the response to my original inquiry. Please do what you (as a company, not you Matt) can to accelerate a change in the password reset process, and please, please, please salt & hash passwords such that the plain text is unrecoverable.
|
