JetBlue still storing passwords in plain text, after 4 years

“JetBlue: The deadly sin of an otherwise great airline” https://medium.com/@sethillgard/...

Well, emailing the plain text password doesn't necessarily mean that they're storing them unencrypted.

Whatever they are doing, they aren't doing it right. Hashing is suppose to be a one way function, thus they can't email you your password.

Prediction - keep doing this stuff JetBlue and there will be an opening for a new JetBlue CTO. After they make the papers and the person leaves to 'spend more time with their family' 😀

@compilergeek they could be easily have a script that generates the password, hashes it but keeps a variable with the original password for sending out the email... The web is full of poorly developed PHP scripts that do exactly this.

@Pampurio Isn't that the same as just saving a plain text password?

@compilergeek why should it be? If the email body is not logged and when the script ends variables are destroyed, where's the problem exactly?
Of course it's not ideal but it doesn't imply they're storing plain text passwords...

@Pampurio I thought we were talking about how the reset password email sent a plain text password. My bad. But someone at some point should test if it sends a plain text password with the reset password email, then we can tell (roughly) what they're likely doing.

the email I received with the password was sent weeks after I created the account, and at the time of creation of the account they didn't know they needed to create a travel bank account for me. so yeah. it is stored in plain text, it's not just an email sent on account creation.

@Pampurio Ok, and then how could they know your password?
...

@sethillgard mmm not sure I understand. You created an account with your password, and after some weeks they sent you a reminder of your password or something similar?

@Pampurio they reused my TrueBlue password (the rewards program) for the TravelBank account(the one they use to give you credit back).

The TravelBank account was automatically created after my flight got delayed, and the email with the password was a welcome email to TravelBank.

Oh well that's another story and definitely an issue

@Pampurio even if they only sent it on account creation on PHP script as you say, that would still be pretty bad. Packets can be sniffed, social engineering is a thing, and simply typing JetBlue on your email search box could out your password to everyone looking on your screen.

it would be less bad, but still pretty bad.