I see a popular website not hashing passwords. I have notified them of it but they seem slow on the uptake.<p>Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?
> I see a popular website not hashing passwords.<p>Some sites do it deliberately. If your customer base is mainly non-technical, directly emailing them the password increases the chance they will log in back than sending them a password reset link. I think I read it in context of PlentyOfFish.<p>> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise?<p>If an employee or a cracker has access to the user database, doesn't he already have the user data? The main reason passwords should be hashed is if a rogue employee or a cracker has access to user data(what user data you have is already compromised here), he might be able to gain access to the user's mail, bank or other accounts as most people tend to reuse password.
> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?<p>No. It is not. There is no legal compulsion to hash passwords. I believe Visa and Mastercard do require their vendors to do so however or risk losing their ability to process credit card payments. I also think that there is some US healthcare law that somewhat requires it.<p>But in general there is no legal requirement to hash passwords. The lack of hashed passwords doesn't mean that there is a "user data compromise" within its own right.<p>The reason companies hash passwords is so that if they ever get broken into that it means the bad guy has to spend several days or weeks breaking the password database which gives the company time to notify the users and the users time to change their passwords.<p>Note: A lot of compromises go unnoticed and in those situations hashing offers little additional security (since the bad guy has infinity to crack the passwords).<p>Note #2: Hashing also makes implementation easier since the length of passwords becomes uniform and you essentially eliminate things like SQL injection (since the raw password is never stored in the database).
Do they provide any other forms of contact? If not, see if you can find people who work there on the internet, and message them.<p>You're absolutely right, it's a major security risk, and anyone else who discovers it may not be so discreet, and make the company a major target for anyone interested interested in stealing databases with unencrypted databases.<p>We had the same thing happen 2 weeks ago, worse thing is that the company in our case does things with money. Yep.
Contact the site and give them a time-frame by when they should comply. Politely ask them to comply telling them otherwise you would disclose the site's identity. Also, try and contact security research organizations to notify them of the vulnerability. This would add a little extra pressure on the site's owner to fix the security hole.<p>My 2 cents.
It can get way worse than that: at a big chess site I used to play at, a password reset email gives you a url of the form ".../passwordreset.php?user=yourname&password=yourfreakingpasswordincleartext" I let them know about it years ago. Nothing changed.