Quote:
Originally Posted by Altor
I sent an e-mail to them expressing my displeasure about the password thing. They replied with a link to a forum on their site discussing the matter. Their tech posted in that forum that they do not store the password in plain text in their database. It is encrypted, along with the social security numbers and taxpayer ID numbers, in a manner that allows it to be decrypted, which is how they are able to e-mail it to you when requested.
He claimed they are working on a one-way hash method for passwords so that it cannot be decrypted, but the SSN and TINs must remain in the encrypted format so they can be used in reports, etc.
|
I'm glad to hear this. It's still not as good as a hash - encryption can be and is compromised, as it more or less depends on keeping the host's internal network (and thus the key) secure - but it's better than plaintext. They still shouldn't be sending people passwords in the open, though. Much better a controlled-and-timed reset link.