

Amtrak.com is storing your password in plaintext - maheswaran

i just forgot my amtrak.com password and tried to reset it, this is what i got<p>Dear &#60;your-name&#62;,<p>Thank you for contacting Amtrak. The login information you requested is listed below.
Please save this information for future reference.<p>User ID: &#60;youremailid@yourprovider&#62;
Password: &#60;yourp-passwod&#62;<p>If you encounter any login difficulties, contact us online at
http://www.amtrak.com/contactus.html or call 1-800-USA-RAIL (1-800-872-7245).<p>Thank you for choosing Amtrak.
======
latch
I hate to be pedantic, but just because they send you your password in plain
text, doesn't mean they are storing it in plain text.

Does it mean they are doing a shitty job? Yes. Is storing a password using
two-way encryption more secure than plaintext? Laughably. Still...

~~~
fuzionmonkey
Presumably if the passwords are hashed they have no way of telling you your
password. They can only reset it.

So yes, generally if they send you the password then that means they store it
in plain text. While it isn't always that hard to crack a password hash, it is
unlikely that Amtrak went through that length to retrieve the password.

~~~
latch
I think you proved my point. There's a 3rd option - they could be using a
symmetric-key algorithm. This would make it trivial to decrypt for Amtrak -
while difficult for anyone else to decrypt.

The problem with this, and why people don't view it as much better than plain
text, is because it's a single point of failure - and if your DB has been
compromised, your secret keys (in a config or in source) probably isn't too
far behind.

------
bricestacey
I just tried it and they sent me the same email. They don't necessarily store
the password in plaintext as latch has explained.

They don't seem to store credit card information for future use, which is a
good sign. However, they do store a lot of personally identifiable information
that might make sending a password via email illegal in some states (at least
Massachusetts [1]).

[1] <http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf> \- (3)Encryption
of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal
information to be transmitted wirelessly.

------
soho33
was that your actual password you had used or a random password they created
and sent you?!

------
imechura
I got an email like this from my domain provider the other day. I was curious
if someone might be able to sniff the network for SMTP messages then go
request a bunch of password resets from the website. There support staff was
not too interested in the idea.

