Better security through public shaming

Hat tip to @pmhesse

The folks behind plaintextoffenders.com are doing a great service to the Internet.

You should never be seeing your password in an email from a company. If they are sending a password there are two major issues.

    Email is not inherently secure. The traffic carrying that message can be sniffed, and then your login info is known.

    They are not hashing passwords in their database. It’s possible that they are performing some sort of encryption on the passwords, but it is clearly reversible, and therefore capable of being hacked.

The companies found on the site tend to be smaller businesses, which are a prime target for attacks.

From Wired

“Hackers are increasingly going after small businesses,” says Jeremy Grant, who runs the Department of Commerce’s National Strategy for Trusted Identities in Cyberspace.
…“They have more money than individuals and less protection than large corporations.”

So if you get an email with a password in it, go ahead and submit to plaintextoffenders.com. Hopefully the exposure will get them to fix the problem.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s