

Virgin America Stores Your Password in Plaintext - jamiequint
http://i.imgur.com/AjF3P.png
Virgin America emailed me this when sending me credit. I've edited the personal details out, but as you can see the password is clearly shown in plaintext. Unacceptable.
======
getsat
Did you receive that email after registering? The controller action processing
your request would have access to the POSTed plaintext password and could pass
it right into the email template before it's sent (or queued to be sent). This
doesn't mean they're storing it in plaintext.

If you request a password reset and they send back your plaintext password,
then they likely are.

    
    
      Notifier.new_signup(:email => params[:email], :password => params[:password]).deliver

~~~
jamiequint
I got it over a year later, just cancelled a flight and got an email reminding
me of the credit they set me up with. My login and password were in that
email, so the above scenario does not seem like what is going on.

~~~
getsat
Huh, in that case, you're probably right. Scary/disconcerting.

------
pbreit
Just to be precise, that doesn't necessarily mean it's stored in plan text
since it could be 2 way encrypted (which I would argue is at least marginally
safer than plain text). Or if it's a registration, it could be added to the
email prior to storing.

Also, a double whammy in exposing a user specified secret in email. That makes
hacking into email considerably more valuable.

~~~
jamiequint
True, but 2-way encryption is only slightly less unacceptable.

~~~
pbreit
Which I sort of mentioned.

