PSA: If you use a Forgot My Password feature and they send you your password, that’s BAD. Companies should NEVER store customer passwords for any reason.
This has been my day in password security:
I went to pay the trash bill this morning, but forgot my password. I used the “Forgot my password” link, assuming they’d send me an email with a way to reset my password.
Nope. Instead, they sent me my password. This is a serious security concern, and especially since it’s linked to an account with payment information. Here’s more information about why this is bad:
So I tracked down the creator of the payment portal. I found their website and sent an email to them, outlining why this is a security concern and why they should change it.
I sent it to their info@ email address. Bounce. Sent to webmaster@ address. Bounce. So I sent to sales@, support@, billing@, and marketing@, forwarding the bounced message.
A while later, I received a response. It wasn’t an RE: to my original email, but a new email with the subject line: Forgot Me Password (sic). The person wanted me to call them. In addition to the grammatical mistake, the person’s name was odd, and a subsequent google search didn’t turn up anything about a person with that working for that company. So I assume this person is probably out of the country?
Anyway, I declined to call them, and told them if they needed more information, I could provide that, and the issues I outlined should be fixable by a competent developer.
Person responded and said that I’d emailed their internal emails and they wanted to know how I got those emails. I directed them to THEIR OWN website, specifically the Contact Us page, and said that after the first two bounces, I sent to the other addresses. I then emphasized that the issue isn’t their internal emails, but their password security, or lack of.
He or she then asked me to send the bounced emails. I informed him or her that they should already have them, as I forwarded the bounce on my original email correspondence. Again, I asked them to address the lack of security features in their payment portal, as clearly the password is being stored by them in a database that is potentially hackable.
They then asked for the email I received that contained my password. So I sent that along. They responded: “I spoke to my supervisor about this and there’s already a defect that is being fixed about this.”
So that’s good. We’ll see if it actually gets fixed.