When will web sites start to be careful with people’s passwords? Oh, I know that a few sites get it right, but it seems to me that the vast majority still don’t have a clue what they are doing. Here is today’s example.
I got an email this morning from a company called RAM (that’s Research and Analysis of Media). Somehow they knew that I was an (occasional) Observer reader and they were inviting me to join a panel that would (as I understand it) answer occasional surveys about the Observer. It sounded like a good cause, so I signed up. As part of that process I gave them both a username and a password. They immediately confirmed my sign-up by sending them both back to me in an email.
That is, of course, a serious cause for concern, but there’s a slim chance that they aren’t storing my password in an accessible form in their database. The mail might have been generated from the data in the web form I filled in. However, an hour or so later I got another mail from them telling my how to log into me account and including my username and password. In fact, that one email contained all of the information needed to log into my account (web site address, username and password). So they have established themselves as a company who can’t be trusted with your password.
On the off-chance that they wouldn’t be sending me any more mails containing those details, I thought I’d try to return at least a small amount of security to my account by changing my password. Except that there is apparently no way to change your password from within your account. By this stage they are breaking records for password stupidity.
I’ve contacted them about the problems and send them a link to my basic guide to password handling article. I’ll let you know if I get any response. I hope their surveys are constructed with a little more thought then their web site.
Update: I heard back from them about not being able to change my password. You can do that in an “update profile” screen. Not sure why I didn’t spot that last week. Nothing from them about the password storage issues though.