Comments on: Plaintext Password Reminders

By: Detroit Mobile Locksmith

Detroit Mobile Locksmith — Sun, 06 Jan 2013 05:32:57 +0000

Just wish to say your article is as astonishing.
The clearness in your post is just excellent and i could assume
you are an expert on this subject. Fine with your permission allow me to grab your
feed to keep updated with forthcoming post. Thanks a million and please continue the enjoyable work.

By: Alvin Chang

Alvin Chang — Wed, 05 Dec 2012 18:53:33 +0000

Isn’t it true that all majordomo mailing lists store your password and remind you in cleartext once a month?

By: Dan Cvrcek

Dan Cvrcek — Thu, 27 Sep 2012 12:09:44 +0000

There are some differences between electronic access and posting printed and signed forms. I think they can be grouped around two aspects:
a. existence of physical evidence that can be used in possible disputes; and
b. use of electronic access to automate unauthorised access to the system.

Particular issues would include:
1. sending printed documents is fairly difficult to automate;
2. if there is a dispute, signatures can be verified; and
3. it is not possible to anonymously obtain private information from Companies House using Royal Mail but easy with a stolen password.

By: Ian

Ian — Thu, 27 Sep 2012 11:56:39 +0000

Given that everything that can be done on the company house website could be done by sending in paper forms with no real checks made, I don’t think the risk has increased. However I wish they would use the government gateway, so I did not have to have yet another password.

I can’t recall if they prompted me to change the password at any point of the registration process. It is a real pain of a website to remember the passwords for, as I have to log in once a year.

By: Ethical

Ethical — Tue, 25 Sep 2012 07:58:33 +0000

Typical mentality I’m afraid. I’m sounding off.

ISO 27001, PCI, CESG etc Certified, is tick box exercise in some companies, masking the underlying frailties in management thinking and communication. There is a lot of snobbery in some circles around technical knowledge, and involving the right (or correct) abilities in projects to ensure plain-text or simple problems like this never get on-line. Or risks are accepted and “that will never happen to us” etc excuses. I know none of the facts of course, pure speculation, but it smells of the typical arrogance and ignorance of said mentality.

For example, a simple traceroute from the executives/civil servant/service provider key partner laptop, would open their eyes (with appropriate explanation) to where information in the clear travels, anyone of the IP address is storing, forwarding information (and whatever else is in between), or our plain text password in this case.

For the amount of “enhanced” security to prevent identity theft on the Companies House Website, this is ironic. Having said that these types of issues are sure to increase with the cut-back mentality that prevails….

I waffle one. Disgruntled, but honest.

By: P

Fri, 21 Sep 2012 09:15:45 +0000

See also Denis Health Insurance: they will mail you your password if you say you forgot it and they display it in the “my details” page while you are logged in.

https://secureuk.denisglobal.com/Template.php?uvKey=Forget&uvMode=&uvCall=NOMENU

By: Justin Dugger

Justin Dugger — Thu, 20 Sep 2012 15:55:35 +0000

I'm not sure if you've mentioned this site before on this blog, but there's a site, http://plaintextoffenders.com/, that attempts to catalog sites known to implement plaintext reminders. Name and shame, I suppose.