33
kurtr
3y

So my boss booked me a spot at a conference about "the future of online payments" and I received an email with auto created account (there was no sign up) with a clear text password.

I'm feeling pretty confident that I can trust them to guide and advise me on best practices when it comes to handling sensitive information.

Comments
  • 0
    Capetonians Unite!
  • 7
    I just tried to access the site in that screenshot and got a certificate error... Loads of trust right now...
  • 2
    They probably also stored his card or whatever in their DB, to keep "track" og transactions...
  • 1
    remind me of the rant I saw earlier where the password was in plaintext + it is 'p@ssw0rd' XD
  • 1
    I am thinking of going just to get two days off work :P
  • 2
    At first i read semenless.Quite happy the story turned out differently.
  • 0
    well, being fair, it says it's temporary. probably not stored. you must change it
  • 1
    @vhoyer yeah but also to be fair they probably shouldn't take the liberty of taking a email address from a booking reference fo4lr an event and create a user account with it (probably to make their stats look better). Even if you get past that - temporary or not a cleartext password is bad news for a whole lot of reasons, it's far better to use a one time token.
  • 1
    While I agree that a one time token is best, there's nothing wrong with generating a pass, sending it in an email then saving the hashed version in the db.

    Odds are you'll be prompted to change it aftet the first login too.
Add Comment