

Ask HN: How to out a MAJOR online company storing passwords in plaintext? - dwelch2344

I recently became aware of a major online hotel broker that stores passwords as plaintext in their system. The management is aware of the technical risks and liabilities but has pushed off technical fixes for YEARS. Furthermore, the features of the website make it obvious that this could be q very valuable attack vector as the reset feature emails you your current plain text password.<p>So the question is: what is the ethical way to raise the issue and force their hand in a fix?<p>(Sorry for brevity and spelling; mobile on holiday)
======
paulhauggis
How do you know it's actually plain text? There are plenty of 2-way encryption
methods out there.

Do you work there? If so, are you willing to lose your job over it?

These sorts of leaks can have devastating effects on the company/customers.
You should also think about the employees that work there as well. Are you
willing to risk their jobs in the event that the company loses money?

~~~
sigden
What legitimate use case is there for implementing a 2-way encryption method
over a hash function for passwords?

~~~
ryanlol
Customer support. A human can then verify the user even if they can only
remember a part of the password.

~~~
stephenr
Sounds like a security flaw ripe for social engineering

~~~
ryanlol
Customer support by itself tends to be a security flaw ripe for social
engineering.

~~~
stephenr
Phone support can be tricky yes, but there are other ways to identify the
caller without storing their password in plaintext

~~~
ryanlol
Callbacks? Users PII? There's really no good ways to do phone verification.
You can't use any kind of shared secrets as people forget those.

~~~
stephenr
My bank uses an automated system to verify a pin (ie the operator transfers
you to confirm identity then you come back)

But it also depends on the realm. Before the saas craze, a lot more support
was performed in-house meaning you didn't have the same scale of problem.

~~~
ryanlol
Verify a pin? But that's still something you have to remember, not providing
support for users who have forgotten their passwords doesn't tend to be an
option.

~~~
stephenr
As I said, it's for my bank, so it's my card pin - I already need to remember
it.

Also as I said - this was much less of an issue when companies maintained IT
departments and installed software. It's much easier to verify that Julie on
the phone really is Julie when it's an internal support mechanism.

------
dublinben
Anonymously report to plaintextoffenders.com?

