

Companies with Poor Security Policies - mikegerwitz

I was recently on the phone with my domain registrar to confirm the cancellation of a package. This is their cancellation process: you log into their website, provide your login credentials, select a package to cancel, and then are provided with a page that looks essentially like this:<p>&#62; For security reasons, your termination must be confirmed by our service team.<p>&#62; For this purpose, call our service team at [...] and please have your Customer ID <i>and password</i> ready.<p>Wait...what? The customer number I understand, but surely the latter part of that message was a mistake. I gave them a call, fully expecting the purpose of the call to drill me on why I wish to cancel the product. Fortunately, that was not the case (which I must give them a lot of credit for). Unfortunately, after asking for my customer id and asking with whom they were speaking, I was indeed asked for my account password! So after making clear my stance on this terrible security policy, I proceeded to utter my rather sizable random string of characters.<p>This left me with a sour taste in my mouth for a number of reasons, most notably being:<p>1. I must now change my password. Firstly, I was told by an automated system that "this call will be monitored". Secondly, how do I know that I can trust this individual? Thirdly, who knows who is listening to that call? Phone conversations are hardly a secure means of communication.<p>2. It makes me terribly uncomfortable when my password can be retrieved by <i>any</i> party, even if it is the company with which I do business. Even if the password is encrypted (for all I know, it may not be), what if an attacker were able to decrypt it, or trick the system into e-mailing them the password? As it turns out, when I used the forgotten password link, <i>I was sent my password in a plain text e-mail!</i> Many people share passwords with multiple sites, so this is a terribly dangerous practice. I do not care how well my password is encrypted. Hash it with a salt, then encrypt it.<p>I'm leaving the company name out of this (not that it's at all difficult to figure out who someone's registrar is), but who else has experience with companies with terrible security practices? Do you still do business with them? This is a very large company, so surely I'm not the only person who has complained to them about their security policies (I'm also addressing this issue in a separate e-mail to them). I take great care in protecting my personal information, so it upsets me when anyone I provide that information to does not do the same.
======
euoia
Why not name and shame them?

Jeff Atwood covered this topic with typical readability almost 5 years ago.

[http://www.codinghorror.com/blog/2007/09/youre-probably-
stor...](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-
passwords-incorrectly.html)

