Wow, a comment on that article describes a case that's far worse :S Involves SSN/SIN and fixed-number PINs in the clear.<p>" Would you consider doing a story on <a href="https://borrower.ecsi.net/" rel="nofollow">https://borrower.ecsi.net/</a> ?<p>Same thing, your password is an unchangeable 5-digit PIN that they email to you in plain-text. But your username is your SSN. And you can't get rid of your account until you pay off your student loans.<p>Fortunately they're not vulnerable to SQL injection, as far as I could tell. I really wanted to email them their entire list of SSNs / passwords. "<p>N-digit pins on online sign-ins for universities are similarly awful and super common. To boot, they often have username = firstname.lastname@university.edu, so brute-forcing a target's password can be done on a laptop in short order.
American Express is also quite bad in terms of what characters are permitted to be used in passwords. However, Greyhound is out of this world in this case.