[kurtisc]

IME banks often have poor security. And why not? They managed to rebrand robbery as identity fraud.

[tyingq]

It's just infuriating, because credit card companies are the ones behind, for example, PCI. Which has guidance like:

"8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography"

[majewsky]

This requirement is technically fulfilled by encrypting transmissions with TLS and storage with disk encryption like LUKS or Veracrypt. It does not really say anything about password hashing.

[tyingq]

The screenshot shows that the plaintext password was sent over SMTP. So it isn't meeting that bar either.

[bausshf]

What makes you think it's SMTP and not SMTPS?

[tyingq]

Because you can't force the endpoints of your customers to all support that.