

Discover.com stores passwords in clear text - feydr

Had to reset my password earlier today -- they emailed me a copy of it.<p>Not only proving that they store it in clear text but also I noticed that it was downcased (or that they don't care about caps) and that it was also capped at 10 characters (it chopped off a few characters).<p>This is something like the 5th time in the past couple of weeks where sites have emailed me a password.<p>I goto a lot of startup events and I'd say a good 40% of them are storing passwords in the clear. You could argue that <i>some</i> of these are just emailing the password within the HTTP request itself but let's admit -- that's not too bright either.<p>All this talk about antisec/lulzsec is completely stupid when you have well known sites like this that implement these abominable security measures.<p>If you don't care about security you don't care about your customers and I hope your startup gets it's ass sued to hell and back.
======
pavel_lishin
Verified that, at least, passwords are not case sensitive.

Good thing it's a one-off that I think they generated for me (it's too short
for it to have come from LastPass.)

I imagine this was done on purpose so that when grandma types "goodkitty"
instead of "GoodKitty", she doesn't get confused by the website's refusal to
let her in. From a usability perspective - for the majority of customers who
don't use password utilities like 1Password - it makes sense.

~~~
MichaelStubbs
>Good thing it's a one-off that I think they generated for me

Is that really a good thing? If they can't store it properly, what are the
chances of them generating it properly?

~~~
pavel_lishin
Well, it's not great - I actually just changed it, but the generated password
was "3PTJJV7". Not too awful, aside from the length, which has a maximum of 10
characters and doesn't allow special characters.

It also asked me to confirm my new username and password, helpfully showing me
my username and asterisks for the password. :/

------
aasarava
I don't know about Discover.com, but Discovercard.com (for credit card account
access) seems to cap passwords at 8 characters, which drives me crazy. Other
than someone setting a database column to 8 chars and not wanting to deal with
altering the table, what good can come of limiting password size to 8 chars?

~~~
feydr
ahh -- my bad discover.com redirects to discovercard.com.

also, I just double-checked -- I have a mix of upper and lowercase in my
password -- I downcased it and submitted -- and got in -- can someone explain
that? I mean you have to pretty much goto lengths to do that... it's insane

~~~
pavel_lishin
If they're storing it in plaintext, with a mysql backend - mysql doesn't care
about case, by default. (At least, in my experience, this might have changed.)

------
latch
(I post this every time)

This doesn't prove that they actually store it in plain text. They could be
storing using a reversible encryption algorithm.

Yes, I realize that this is almost as bad as storing it in plain text.
However, not knowing the high level difference between symmetric, asymmetric,
hashing and cryptographic hashing is just as bad. (And I'm not saying the OP
doesn't know the difference, but I am saying most ppl (maybe not on HN)
don't).

------
sander
I still encounter this on many websites unfortunately :(

I'm thinking there should be a browser plugin that lets me report this and
also warns me when I'm on such a website. Who's with me?

------
tnorthcutt
americanexpress.com caps passwords at 8 characters long, FYI. Not sure if they
also limit which types of characters can be used.

------
namank
I _think_ this may be driven by usability where they want to make it as easy
as they can for the user to engage.

I agree with you though, security trumps usability for this one.

