When will web sites start to be careful with people’s passwords? Oh, I know that a few sites get it right, but it seems to me that the vast majority still don’t have a clue what they are doing. Here is today’s example.
I got an email this morning from a company called RAM (that’s Research and Analysis of Media). Somehow they knew that I was an (occasional) Observer reader and they were inviting me to join a panel that would (as I understand it) answer occasional surveys about the Observer. It sounded like a good cause, so I signed up. As part of that process I gave them both a username and a password. They immediately confirmed my sign-up by sending them both back to me in an email.
That is, of course, a serious cause for concern, but there’s a slim chance that they aren’t storing my password in an accessible form in their database. The mail might have been generated from the data in the web form I filled in. However, an hour or so later I got another mail from them telling my how to log into me account and including my username and password. In fact, that one email contained all of the information needed to log into my account (web site address, username and password). So they have established themselves as a company who can’t be trusted with your password.
On the off-chance that they wouldn’t be sending me any more mails containing those details, I thought I’d try to return at least a small amount of security to my account by changing my password. Except that there is apparently no way to change your password from within your account. By this stage they are breaking records for password stupidity.
I’ve contacted them about the problems and send them a link to my basic guide to password handling article. I’ll let you know if I get any response. I hope their surveys are constructed with a little more thought then their web site.
Update: I heard back from them about not being able to change my password. You can do that in an “update profile” screen. Not sure why I didn’t spot that last week. Nothing from them about the password storage issues though.
It might be worth asking them if their organisation is a member of the Market Research Society. I work in the same industry and because of its nature, there are fairly strict rules about handling respondents’ personal data.See http://www.mrs.org.uk/code.htm
Ooh. Interesting idea. Thanks. I’ll bear that in mind.
My favourite story is with a certain organisation which handles money that sent me both my username and password in the same plaintext e-mail. That’s okay, I’ll change my password using the super-duper security hardened application they provide.
What happens when I change my password? Another e-mail to confirm my password had changed. No prizes for guessing what it contained.
A good example of a stupid password protection system and a net banking portal that is totally open for the taking is one of our local (Malaysian) banks who also do the same thing, send you all the required information via a single email. The bank is question is Maybank and you can find them if you google them.