

Ask HN: Are there any places that name & shame sites with shitty security? - heeton

If there isn't one yet, shall we make it?<p>After getting frustrated that my bank won't let me have a password with symbols in it (seriously??), I sent them a message. 
The boilerplate reply I got doesn't fill me with confidence, so I'm wondering:<p>Is there a way to report offending sites like this?<p>A) Report a site/company that has shitty security practises. (They're storing passwords in plaintext, limiting strong passwords, are open to some attack)<p>B) Bubble up the worst offenders, show the list to the world.<p>C) Provide them with directions to literature so they can take steps to improve their situation if they care. 
(And allow some discourse, so they can respond to the public about their problems and what is being done about them)
======
mathijs
This is not a website with a searchable archive, but it collects websites that
send you an email saying 'you just signed up and this is your password':
<http://plaintextoffenders.com/>

~~~
Spoom
You know, emailing you your password (while still a fairly questionable
security practice) after registration doesn't necessarily mean that they're
_storing_ it in plaintext. They could still have the plaintext password in
memory during the registration process, including the initial email.

Same deal with a newly generated password as a result of a forgotten password
link, though sites should force the user to change that on first login with
the temporary generated password.

Emailing you your existing password "out of the blue", of course, is just
irresponsible and unprofessional.

~~~
yashchandra
"They could still have the plaintext password in memory during the
registration process"

This is even worse IMO. so they are sending me a cleartext password that may
or may not have been stored in db yet ? what if the db write process aborts
while the user still gets the email ? bad bad bad

