[lengarvey]

In slight defense of that horrible password practice:

You can't really do much with a realestate.com.au account unless you are an Agent (which is a separate account). There's no payment processing, or any way to add content to the site. The accounts there are basically just a way to save common realestate searches as far as I can tell.

[jrsimmons]

Yeah, no.

All private user information is equally private. To arbitrarily suggest that certain data is less important is a dangerous road to walk down. We should be holding everyone to the same standards when it comes to security.

This is especially true with the high amount of password reuse that goes on.

[tomgallard]

I'm not sure I agree. I'd say my name is private, I'd say my date of birth is more private, I'd say my medical conditions are more private still. There are clearly degrees of privacy.

Does it really make sense to hold my bank to the same standard as a real estate website? Sure they should all reach some minimum requirement (salted and hashed passwords), but I expect my bank to have far higher standards (e.g. two factor auth) than a a random site.

[pmjordan]

The problem with storing passwords insecurely is that people reuse them. You can try to tell them otherwise as much as you like, they will do it, so even if one service holds non-sensitive data, stealing the password will grant access to other, completely unrelated services.

[jrsimmons]

Yeah that was overly simplistic.

I guess the issue is that the layman cannot really tell how secure a solution is, and so are unlikely to be able to make well reasoned decisions about the information they release. As such there really needs to be a far greater level of responsibility placed on people who hold the keys so to speak. Once again this is especially true since people re-use (and use overly simple) passwords at a scary rate. By not protecting their information on a crappy real estate website you are potentially leaving open their bank to abuse.

I feel instances like these just show dangerous levels of incompetence and a blatant disregard for user's information. Good solutions generally require less work anyway so there's no excuse.

[sp332]

This is clearly not true, or HIPPA would apply to my street address, and sites that want my phone number would have to be PCI compliant.

[danudey]

PCI compliance is an industry standard, not a regulatory standard, so it's not a valid comparison. Also, PCI compliance isn't for privacy reasons, it's for loss mitigation.

Amusingly enough, the banks who impose PCI compliance on merchants aren't themselves required to be PCI compliant, and some of them will happily e-mail you extremely sensitive customer data (no matter how many times you ask them not to), even though doing so yourself would violate PCI compliance.

[qxcv]

All realestate.com.au are trying to do is give the user a persistent session registered to their email address. Think of it as kind of like a cookie which you can easily transfer between browsers to get a slightly more personalised experience.

> This is especially true with the high amount of password reuse that goes on.

I do agree that it is a bit off (read: probably illegal) that they allow users to change the password and then store the user's password in plaintext. The system would be considerably better if users could only use a system-generated password.

[troyhunt]

Actually, you do a lot with them; I could take a significant portion of them and log on to the account holders' Twitter / Facebook / GMail. Reuse is rampant and anyone who holds credentials has a duty of care to protect them.