Had to reset my password earlier today -- they emailed me a copy of it.<p>Not only proving that they store it in clear text but also I noticed that it was downcased (or that they don't care about caps) and that it was also capped at 10 characters (it chopped off a few characters).<p>This is something like the 5th time in the past couple of weeks where sites have emailed me a password.<p>I goto a lot of startup events and I'd say a good 40% of them are storing passwords in the clear. You could argue that <i>some</i> of these are just emailing the password within the HTTP request itself but let's admit -- that's not too bright either.<p>All this talk about antisec/lulzsec is completely stupid when you have well known sites like this that implement these abominable security measures.<p>If you don't care about security you don't care about your customers and I hope your startup gets it's ass sued to hell and back.
Verified that, at least, passwords are not case sensitive.<p>Good thing it's a one-off that I think they generated for me (it's too short for it to have come from LastPass.)<p>I imagine this was done on purpose so that when grandma types "goodkitty" instead of "GoodKitty", she doesn't get confused by the website's refusal to let her in. From a usability perspective - for the majority of customers who don't use password utilities like 1Password - it makes sense.
I don't know about Discover.com, but Discovercard.com (for credit card account access) seems to cap passwords at 8 characters, which drives me crazy. Other than someone setting a database column to 8 chars and not wanting to deal with altering the table, what good can come of limiting password size to 8 chars?
(I post this every time)<p>This doesn't prove that they actually store it in plain text. They could be storing using a reversible encryption algorithm.<p>Yes, I realize that this is almost as bad as storing it in plain text. However, not knowing the high level difference between symmetric, asymmetric, hashing and cryptographic hashing is just as bad. (And I'm not saying the OP doesn't know the difference, but I am saying most ppl (maybe not on HN) don't).
I still encounter this on many websites unfortunately :(<p>I'm thinking there should be a browser plugin that lets me report this and also warns me when I'm on such a website. Who's with me?
I <i>think</i> this may be driven by usability where they want to make it as easy as they can for the user to engage.<p>I agree with you though, security trumps usability for this one.