i just forgot my amtrak.com password and tried to reset it, this is what i got<p>Dear <your-name>,<p>Thank you for contacting Amtrak. The login information you requested is listed below.
Please save this information for future reference.<p>User ID: <youremailid@yourprovider>
Password: <yourp-passwod><p>If you encounter any login difficulties, contact us online at
http://www.amtrak.com/contactus.html or call 1-800-USA-RAIL (1-800-872-7245).<p>Thank you for choosing Amtrak.
I hate to be pedantic, but just because they send you your password in plain text, doesn't mean they are storing it in plain text.<p>Does it mean they are doing a shitty job? Yes. Is storing a password using two-way encryption more secure than plaintext? Laughably. Still...
I just tried it and they sent me the same email. They don't necessarily store the password in plaintext as latch has explained.<p>They don't seem to store credit card information for future use, which is a good sign. However, they do store a lot of personally identifiable information that might make sending a password via email illegal in some states (at least Massachusetts [1]).<p>[1] <a href="http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf" rel="nofollow">http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf</a> - (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
I got an email like this from my domain provider the other day. I was curious if someone might be able to sniff the network for SMTP messages then go request a bunch of password resets from the website. There support staff was not too interested in the idea.