Hey guys, if you don't fix this, I won't place an order again with you.
Because if I you treat my password like other data I gave you (in particular my credit card details), I can't give you my money.
Can't you do the right thing ? Some tips (at a minimum):
- store the hash of the password
- salt it
- compare salted password hashes !
- regenerate a new password randomly if the user has lost his password
Why ? Because someone (a cracker or a disgruntled employee) could fetch the customer / passwords list and as most people don't have a new password per site, use it to not only make purchases on play.com, but to access all other accounts, up to probably the customer's mail box. And from there access all his accounts.
Note to self: always test the "send me my password" function on any new web site I use.
Update: at least some other sites know what they are doing
No comments:
Post a Comment