More Password Stupidity

I’ve just found two more web companies that don’t know how to handle passwords. And one of them was a company who I had a lot of respect for.

Fotango are closing down their photo service. So that their users weren’t left stranded by this, they set up a deal with Photobox whereby Fotango customers would get a Photobox account and all of their photos would be transfered over for them.

I don’t have any photos on my Fotango account (I’d actually forgotten that I had a Fotango account) but Photobox are offering 30 free prints, so I thought I’d go through the process anyway. The transfer seemed pretty painless and I was left looking at the Photoshop web site. I was logged on, but I requested my password anyway as I couldn’t remember the password I’d used when I set up the Fotango account.

Seconds later my password arrived in my inbox. And I really mean my password. Not a new randomly generated password or a link to change my password. My real password. In plain text.

So this means:

1/ Fotango have been storing my password in plain text.
2/ Fotango transfered my password to Photobox in plain text.
3/ Photobox are continuing to store my password in plain text.
4/ Photobox are happy to send my password to me in email in plain text.

Am I completely out of step with the rest of the internet here? Do most people not care that passwords are stored in plain text and sent around the internet without the most basic of security precautions? Ok, I know it’s only a few photos, but if people are used to this level of insecurity then they won’t expect it when it’s important – like online banking.

I’ve changed my Photobox password. But the change didn’t even go across an SSL connection!

Update (April 2012): I’m reliably informed by one of Photobox’s development managers that they no longer store passwords in plain text. Which is nice.