

JetBlue Passwords in Plaintext - cflyingdutchman

Hey Team,<p>JetBlue just sent me an email from noreply@jetblue.com welcoming me to my travel bank account:<p>&quot;
Hello XXXXX XXXXXX XXXXXX<p>The password for your Travel Bank account is provided below:<p>Password: xxxxxxxxx (password in plaintext)<p>As a TrueBlue member, you can easily manage this account, including updating your password, when you sign in to TrueBlue. (Register here if you are not a member yet).<p>Otherwise, please keep this email as it is the only password notification you will receive. You will need to enter your Travel Bank login ID and password when accessing your Travel Bank account online. Don’t know or didn’t receive your login ID? Please call 1-800 JET-BLUE for further assistance.<p>Sincerely,<p>JetBlue Airways
&quot;<p>I was shocked to see my password in plaintext and, upon researching, discovered that it&#x27;s not a new issue: http:&#x2F;&#x2F;www.businessinsider.com&#x2F;jetblue-passwords-in-plain-text-2012-7<p>A mistake like that from a large company is hard to understand, but not fixing it when it&#x27;s brought to their attention is even harder to understand.  I&#x27;ve written to JetBlue and gotten the standard &quot;forwarded to the appropriate Leadership Team&quot; response and they refuse to give a timeline for the fix.<p>I don&#x27;t know what the best options are at this point, but I figured that JetBlue customers would want to know about the glaring fault in security.
======
r721
"Plain Text Offenders" blog shamed them even earlier, in May 2011:

[http://plaintextoffenders.com/post/5098971221/jetblue-com-
wh...](http://plaintextoffenders.com/post/5098971221/jetblue-com-when-i-
changed-some-info-in-my)

------
yaur
Careful about what you deduce from that. Just because they sent it to you in
plain text doesn't mean it is stored in plain text. Was the password something
you put in or something they generated on your behalf? If you do a "forgot my
password" and they can produce the password they are either using plain text
or reversible encryption (not much difference). If you get a reset link or a
new randomly generated password its hard to tell how they are storing them.

Not that emailing them is a good idea, but it requires a different kind of
attack than if passwords are stored in plain text.

------
fuj
As it was said before, careful with what you are saying. That looks like a
welcome email, which was sent as soon as you registered (password not
encrypted yet) which is not a good idea anyway, but still, far from the
security issue it would be if they were stored in plaintext.

~~~
negativity
I dunno, it's still pretty debatable, since e-mail isn't guaranteed to be
encrypted over the wire, which leaves people open to MITM attacks.

So consider a situation where someone receives a password in plain text, and
the password never expires and never gets changed by the user.

All things considered, a token is a token, so whether the "password" is sent
in plaintext, or whether a nonce hex key is provided by e-mail, anything sent
by e-mail should have a shelf life, even if it's a relatively long one of like
30 days.

Ideally, it should expire in hours or minutes. If they don't get around to it
fast enough, you have the user's e-mail, just tell them you need to send them
another, because the last one expired. That way, you're forcing a live user to
interact with the system, and act quickly, to establish proper authentication
credentials.

