
Legoland.com returns forgotten passwords in cleartext - posharma
Shocked to discover that Legoland.com returns forgotten passwords in cleartext. I didn&#x27;t remember my password and clicked on the Forgot my password link. Here&#x27;s the email I got:<p>Hello &lt;My Name&gt;,
We received your request for a password reminder for your account with
us. Your password is: &lt;my password in cleartext&gt;
Please visit the link below to log in:
http:&#x2F;&#x2F;secure.legolandcaliforniaresort.com&#x2F;LLC&#x2F;Account&#x2F;AccountLogin.aspx
Do not reply to this message. Replies to this message are not monitored
or answered.
======
zeep
you should send that to
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

------
bryanrasmussen
that doesn't mean it stores it in cleartext, it means they sent it to you in
cleartext, which is also bad but different.

~~~
zeep
I think it does, unless they spend resources into cracking you password right
before they send it back to you (which you can almost be sure that they don't
do that)...

~~~
serf
No, it doesn't.

It means that they are able to compute the users' password with resources
available to them, not that they store clear-text passwords.

If a password is stored in such a way as to be decipherable by using a
cryptographic algorithm to recombine multiple (hopefully some being secret)
elements, it's not stored in cleartext.

We don't know that this is the case as far as legoland goes, but we also don't
know that they store clear-text passwords simply by being able to return one
to a specific user via email. It's an unsafe practice (cleartext email
password return), but it doesn't indicate much about how they choose to store
passwords.

