[tsally]

There is a difference between storing plaintext passwords and actually losing them, and as much as I hate to give someone a pass on insecure password storage (it is, apparently, all I ever talk about here), you have to be intellectually honest.

I was intellectually honest. I explicitly said they didn't actually lose them.

37signals no longer stores easily attacked passwords.

I was under the impression that this was true as well. However I just checked and I got my Backpack password emailed to me in plain text. So at least the Backpack application is still incorrect.

[tptacek]

Either they haven't gotten to you in the rollout yet, or they aren't doing Backpack (which would surprise me).

The "honesty" comment wasn't directed to you, but it's obvious why you would think it was. Sorry.

[tsally]

The "honesty" comment wasn't directed to you, but it's obvious why you would think it was. Sorry.

Given your history of quality and logical posts, I pretty much knew the comment wasn't directed towards me. I just wanted to go on record to be sure. I'm sorry as well, I should have just let it fly.

Either they haven't gotten to you in the rollout yet, or they aren't doing Backpack (which would surprise me).

They're launching unified accounts soon for all services (you have to pick a new user name and password if I remember correctly). Perhaps this is when they'll roll out the password security? Seems like a logical time to me.

[tptacek]

They're doing it as we speak. They had a 5 hour down time that stretched out to 10 hours on Saturday night getting systems migrated; they're announcing batches of accounts converted in Twitter over the week.

(NB: I'm friendly with several 37s people online, and I've talked to them about what they're doing, and while I'll leave it to them to talk up their security, I think they're OK on this issue now).