Hacker News new | past | comments | ask | show | jobs | submit login

Our healthcare provider is storing passwords in plain text. When I went in for my health screening, they had everyone's forms printed out, with our passwords written on sticky notes attached to the front. Hundreds of people's health data, wide open for the taking. I was beyond pissed. Then I found out that they don't use ssl on their service, and the passsword can be retrieved at the click of a button. Ended up speaking with a C-level about it. Her response was that they are perfectly within HIPAA compliance, and that she would have to talk to their CTO about any other problems with their data security. Looking at the HIPAA, I have to say, it's not very clear on the need for hashing passwords. Still, I reminded her of the massive liability they are opening themselves to. She promised to get back in touch with me, but I haven't heard anything since (imagine that).



Lol, my dad is an endodontist and he hasn't made his website interactive (patient accounts, interactive appointment scheduler, interactive referrals) yet because he can't afford a webdev that would make it secure (salting/encryption).

My dad is an endodontist with zero software/web experience and even he knows not to keep passwords in plaintext and to use ssl.

I'm only a CS undergrad and I'm learning webdev so I can implement it for him but I still know to hash and salt your passwords. The fact that people implement these critical systems (and get paid for it) without knowing basic practices makes me worry about the future.


My 401K company, Kibble & Prentice, does the same thing. They make you call a phone number if you forget your password, and then the operator reads the password out loud to you over the phone. Freakin' amazing. I told HR and they said they'll change companies, but that was six months ago, so... who the hell knows.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: