The pedantry in some of the comments have me practically smashing my head into my desk. The semantic arguments about whether the actual password storage mechanism is encrypted, encoded, etc, are wholly irrelevant.<p>If a web site can sent you a "I forgot my password" reminder email which includes your plaintext password then the site operator is storing the password in a plaintext-equivalent format. If the password is stored as a plaintext-equivalent then attackers can steal your plaintext password when they "own" the site.<p>To address the encryption pedantry: If a site is using encryption to store the password but the key to decrypt the password is available in the site's servers then, arguably, the encryption just amounts to an encoding. Symmetric encryption requires that the key be kept secret. Keeping the key on the servers means that it's not secret and means that it's not really encryption.<p>Edit:<p>I see that the discussion is heading this way so I'll head it off at the pass: I would argue that there is no reason that any site operator ever needs the plaintext of a user's password to be stored persistently for any reason. There is no valid reason passwords should be stored in a reversible manner.<p>(Somebody is going to bring up storing credit card numbers with symmetric encryption, too. That's a broken system and, arguably, needs to be replaced with something based on asymmetric encryption instead of "secret numbers" that we have to transmit between quasi-trusted parties.)
Omer here, one of the two guys behind this website. I'd like to thank the Hacker News community, who are in part the reason for our site's popularity.
Thanks, everyone. Please keep spreading the word! :)
I wonder how they can be sure that a website stores their website in plain text? Just because a website sends an email confirmation with the password doesn't mean they <i>store</i> it in plain text. The developer could just send the email before hashing the password.<p>Not saying it's a good practice to send the password by email but it seems the website stretches the truth a bit.
Apparently, George Mason University is still on the list... two years after I sent them multiple emails and phone calls complaining about such a big security issue. It's kind of sad that you can't even depend on educational institutions to follow the security guidelines they probably teach to hundreds of students (even if that part of their website was done by a contractor).
My site would fall under this and I use two layer sha-2 512 keys with unique salts... just because I send you one email does not mean I know your password (and for that matter somehow you have to be given an initial password in a lot of systems)