

Discover Bank storing passwords in plaintext - nivla
http://techflock.com/discover-card-storing-passwords-in-plaintext

======
joezydeco
Dumping tech-speak on a first-tier customer service rep, I guarantee you, will
get you absolutely nothing except a boost to your internal pride meter. This
needs to be communicated in another way.

~~~
dustywusty
Agreed. That part was hard to read.

------
pdubs
The worst part is that it comes by email, which _is_ plaintext everywhere.

However, "encrypted in a database" is not "plaintext". It's certainly not
ideal or recommended, that's for sure, but it's not the worst way to handle
passwords. If properly implemented, a bunch of AES encrypted passwords without
a key are nearly as useless to an adversary as a bunch of bcrypt hashes.

Just don't reuse passwords (at least for accounts you care about) and it
really doesn't matter.

------
krrrh
37Signals did this on basecamp for years too. I haven't checked recently and I
assume when the consolidated their authentication they probably fixed it.

It was pretty shocking to get my password in plaintext in an email from a
leading web app developer. Especially after DHH's multiple beratings of
developers who used authentication libraries instead of rolling their own
salted password hashing, because you should really understand how your app is
handling such things yourself!

I was surprised that I never saw anyone bring it up anywhere.

