[theboss]

That's nothing.... A friend of mine forwarded some emails shes gotten from jet blue.

First this screenshot: http://i.imgur.com/oKKpFM1.png

Followed by the money screenshot: http://i.imgur.com/DlAlQPt.png

She redacted some of the information before she sent it (obviously). This is from Jan 21 of this year. It's just so sad.... It's incredible people still have plaintext passwords serverside....

[rallison]

While I can't stand passwords sent as part of a welcome email, this does not actually mean that they store the passwords in plaintext. Often, companies will send the username and password as part of a welcome email upon the user registering (and the above screenshots look exactly like that). This does not preclude the company from then hashing the password and storing it hashed.

That said, it still is a terrible practice, as any records of that email on the origin server or servers in between will thus contain the plaintext password.

[theboss]

Oh yeah. It's impossible to know who has your plaintext password on the backend (even steam who RSA encrypts your pw with a public key before sending), but this certainly is a bad practice and certainly makes it look like they do not have robust security practices.

[Istof]

If you use the "forget password" link and receive your old password by email, then they more then likely have your plain-text password unless they crack it on the fly?

[couchand]

If you receive your old password then yes, they do have it stored in plaintext. Usually these days forgotten password pages just ask you to create a new one, but if they don't that's a sure sign.

[gabriel34]

Not so sure; it could still be encrypted (also bad practice)

Still, if you receive your password back, that is a giant red sign screaming insecurity

[growupkids]

Or too many end users that forget their passwords. Never underestimate the costs of supporting password resets for nontechnical users.

[vacri]

This is a sentiment often missed by the security community. Good security is good to have, but if it makes the service unusable, it's worthless. And when it comes to the general public, that's a low bar set. Banking PIN codes are laughably poor security, but in general they do quite a reasonable job - people get their banking done, and the banks haven't collapsed in a heap due to PIN-based security violations.

This being said, the banks are also in the unusual position of being able to effectively insure themselves against relatively small losses (to them) in order to keep confidence in their business high.

[xanderstrike]

Did you tell her to make sure that password isn't used anywhere else?

[theboss]

She's a computer person too so she knows all this jazz.

[iopq]

oh come on, man

everyone's sent those emails before you try to do some smart templating, but your designer changes the template and never actually remembers that those were FILLER VALUES

[theboss]

I actually have no idea what you're talking about.

All I know is they sent her plaintext passwords to her, which she redacted before sending to me....

[iopq]

oh, I thought it was actually PUT_PASSWORD_HERE placeholders it wasn't clear, you should have put black bars there

[encoderer]

Agreed. I thought the same thing.

[stephengillie]

Is that what they did? Cuz that's not what your edited images show.

[jmcgough]

those are redactions that were edited into the image - the original had the actual information in it

[ams6110]

Google does the same thing, so I guess Jet Blue is in good company.

[theboss]

I don't know about that. Have a source? This is a pretty bad practice so I would be very surprised to see google doing this.

[ams6110]

If you have a google apps account, and you create an account for a user (or adminstratively reset their password for them) they will get an email like:

  Hi Tina,
  
  You have a new account at Example Association.
  
  Your username is tsmith. Your initial password is ZjAdhUVC
  (you will need to change this when you log in).
  
  Your new email address is tsmith@example.com
  
  You can sign in to Example Association services at:
  
  http://www.google.com/a/example.com

[Velox]

What's the issue? They force a reset so there is no difference between giving a temporary password like this or a URL which is unique to them?

[vacri]

(you will need to change this when you log in)

That's 'will need' not 'we ask nicely and you can ignore'. When you create a user, it gives the option of setting their password for them, or using a temporary password, which they have to change.

[squeaky-clean]

I can't reply to the post below you for some reason, so I'm posting here.

Yes, Google sends passwords in plaintext when you have to create an account for another user. But on your first login it requires you to change the password.