11

Don't Email Passwords in Plain Text

Unless something changed since the last time I was welcomed to a new group (and I scenery hope so), passwords are stored in plain text in the database. If existing passwords are being emailed in plain text, then this is the case.

This is unacceptable and, frankly, absurd, especially for a company collecting Social Security numbers (which are probably also stored in plain text in the database)! Considering the amount of personal information stored in Arbiter, passwords must be salted and hashed before being stored in the database. If you haven't fixed this issue already, it should really be a top priority.

I cannot express my dissatisfaction enough.

14 comments

Please sign in to leave a comment.