2

I recently made a complaint to a company about them sending out passwords in plain-text via email upon registration knowing that it is a potential security risk.

One of their employees responded with the following:

The security depends on the strength of your email password. This is the default in the billing system - also used by thousands of other companies. If you have problems with this, please just delete the email.

Is that a reasonable response? Is it really the default in billing systems to send out the users password in plain text by email?

I believe the billing system used by the company is WHMCompleteSolution.

Jeff Ferland
  • 38,329
  • 9
  • 96
  • 174
Joshua
  • 121
  • 2
  • It's not reasonable, it's ignorant. They're obviously storing plaintext or reversibly-encrypted passwords, and that's a very bad idea, especially considering the problem of password reuse. – thejh Apr 03 '13 at 20:25
  • 3
    This is the default in the billing system - also used by thousands of other companies... who are also all wrong to use this pattern. – Jeff Ferland Apr 03 '13 at 20:36
  • 1
    The standard option for you at this point is to attempt to publicly shame them into fixing their security mistakes. You should make a serious effort to convince them privately, but once the time limit is up, go public. This is known as responsible disclosure. Here's Troy Hunt doing exactly that earlier today. – Ladadadada Apr 03 '13 at 22:41
  • Thanks for all your comments, this is the response I received when further complaining and linking to articles suggesting that it is not a good idea: "This option is defaulted in WHCMS and that's how we're keeping it" – Joshua Apr 04 '13 at 12:32
  • This is what WHMCS say about it, http://forum.whmcs.com/showthread.php?41342-Password-security&p=216721#post216721. Does that make it any better? – Joshua Apr 04 '13 at 12:39

0 Answers0