She redacted some of the information before she sent it (obviously). This is from Jan 21 of this year. It's just so sad.... It's incredible people still have plaintext passwords serverside....
While I can't stand passwords sent as part of a welcome email, this does not actually mean that they store the passwords in plaintext. Often, companies will send the username and password as part of a welcome email upon the user registering (and the above screenshots look exactly like that). This does not preclude the company from then hashing the password and storing it hashed.
That said, it still is a terrible practice, as any records of that email on the origin server or servers in between will thus contain the plaintext password.
Oh yeah. It's impossible to know who has your plaintext password on the backend (even steam who RSA encrypts your pw with a public key before sending), but this certainly is a bad practice and certainly makes it look like they do not have robust security practices.
If you use the "forget password" link and receive your old password by email, then they more then likely have your plain-text password unless they crack it on the fly?
If you receive your old password then yes, they do have it stored in plaintext. Usually these days forgotten password pages just ask you to create a new one, but if they don't that's a sure sign.
This is a sentiment often missed by the security community. Good security is good to have, but if it makes the service unusable, it's worthless. And when it comes to the general public, that's a low bar set. Banking PIN codes are laughably poor security, but in general they do quite a reasonable job - people get their banking done, and the banks haven't collapsed in a heap due to PIN-based security violations.
This being said, the banks are also in the unusual position of being able to effectively insure themselves against relatively small losses (to them) in order to keep confidence in their business high.
everyone's sent those emails before
you try to do some smart templating, but your designer changes the template and never actually remembers that those were FILLER VALUES
I can't reply to the post below you for some reason, so I'm posting here.
Yes, Google sends passwords in plaintext when you have to create an account for another user. But on your first login it requires you to change the password.
If you have a google apps account, and you create an account for a user (or adminstratively reset their password for them) they will get an email like:
Hi Tina,
You have a new account at Example Association.
Your username is tsmith. Your initial password is ZjAdhUVC
(you will need to change this when you log in).
Your new email address is tsmith@example.com
You can sign in to Example Association services at:
http://www.google.com/a/example.com
That's 'will need' not 'we ask nicely and you can ignore'. When you create a user, it gives the option of setting their password for them, or using a temporary password, which they have to change.
First this screenshot: http://i.imgur.com/oKKpFM1.png
Followed by the money screenshot: http://i.imgur.com/DlAlQPt.png
She redacted some of the information before she sent it (obviously). This is from Jan 21 of this year. It's just so sad.... It's incredible people still have plaintext passwords serverside....