More Password Stupidity

I’ve just found two more web companies that don’t know how to handle passwords. And one of them was a company who I had a lot of respect for.

Fotango are closing down their photo service. So that their users weren’t left stranded by this, they set up a deal with Photobox whereby Fotango customers would get a Photobox account and all of their photos would be transfered over for them.

I don’t have any photos on my Fotango account (I’d actually forgotten that I had a Fotango account) but Photobox are offering 30 free prints, so I thought I’d go through the process anyway. The transfer seemed pretty painless and I was left looking at the Photoshop web site. I was logged on, but I requested my password anyway as I couldn’t remember the password I’d used when I set up the Fotango account.

Seconds later my password arrived in my inbox. And I really mean my password. Not a new randomly generated password or a link to change my password. My real password. In plain text.

So this means:

1/ Fotango have been storing my password in plain text.
2/ Fotango transfered my password to Photobox in plain text.
3/ Photobox are continuing to store my password in plain text.
4/ Photobox are happy to send my password to me in email in plain text.

Am I completely out of step with the rest of the internet here? Do most people not care that passwords are stored in plain text and sent around the internet without the most basic of security precautions? Ok, I know it’s only a few photos, but if people are used to this level of insecurity then they won’t expect it when it’s important – like online banking.

I’ve changed my Photobox password. But the change didn’t even go across an SSL connection!

Update (April 2012): I’m reliably informed by one of Photobox’s development managers that they no longer store passwords in plain text. Which is nice.

2 comments

  1. Know of any good books or sites that tell you how you *should* go about this? I mean, not storing passwords as plain text (or even as anything recoverable) makes perfect sense, but I’m sure that there’s a lot more to it than that.I’m looking for a general principals kind of thing – nothing too platform specific. (Though one of those books that purports to be platform specific but is actually a good source of general principals, in the vein of “Python Network Programming” or “Effective Java” would be fine.)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.