
When it comes to password security, Greyhound.com is truly awful - hvo
https://arstechnica.com/security/2017/05/when-it-comes-to-password-security-greyhound-com-is-truly-awful/
======
jszymborski
Wow, a comment on that article describes a case that's far worse :S Involves
SSN/SIN and fixed-number PINs in the clear.

" Would you consider doing a story on
[https://borrower.ecsi.net/](https://borrower.ecsi.net/) ?

Same thing, your password is an unchangeable 5-digit PIN that they email to
you in plain-text. But your username is your SSN. And you can't get rid of
your account until you pay off your student loans.

Fortunately they're not vulnerable to SQL injection, as far as I could tell. I
really wanted to email them their entire list of SSNs / passwords. "

N-digit pins on online sign-ins for universities are similarly awful and super
common. To boot, they often have username = firstname.lastname@university.edu,
so brute-forcing a target's password can be done on a laptop in short order.

------
brianjking
American Express is also quite bad in terms of what characters are permitted
to be used in passwords. However, Greyhound is out of this world in this case.

