

TrendMicro sends passwords in plain text - that's security - syrnick

I just subscribed to the online account and got this:<p>Dear Alex Sxxxxxx,<p>Thank you for registering Worry-Free Business Security Services for Dell. Your account will be activated immediately.<p>Account Information
<i>Service Name: Worry-Free Business Security Services for Dell
</i>Activation Code: WF-HMWA---------------------<p>Logon Information
<i>User Name: syrnick
</i>Password: PASSWORD IN PLAIN TEXT
<i>Validity: 455 days (2/7/2011 - 5/7/2012)
</i>Product/Service Console: https://wfbs-svc.trendmicro.com/dell/<p>With password in plain text that makes me worry - what do they know about security?
======
drallison
What about Basic Authentication, the default authentication protocol for web
pages. Credentials are passed encoded as base-64, hardly better than plain
text in the open.

What would you propose as a better solution? Is there a difference in the
level security you would want for a site like TrendMicro and the level of
security you would want for your Bank Account?

------
FirstHopSystems
Yes, sending credentials in plain-text is bad. I would be more worried about
your password being stored in plain text. That data is just sitting
there...waiting. defended by super 1337 TrendMicro security!

~~~
cfinke
Since this password was sent in plain text at signup-time, there's a chance
that it was still hashed/encrypted before being stored. Not a good chance,
given the fact that they thought it was ok to send it in plain text at all,
but still a chance.

------
yuhong
They are not the only ones. Many websites do this. Not only with signing up,
but also with "forgot password" too.

