cctld MyID saving passwords in plain text

[katherine]

I haven't used MyID for a long time. Today I was disappointed to see that the password reminder feature sends you the actual password on file, instead of a a link to reset your password (which of course, should not be stored in clear but hashed and salted).

:worried:

 

[hugegrowth]

They are upgrading their website right now, so you should contact them with your suggestion.

 

[katherine]

The Peruvian registry was hacked this week-end. Passwords were saved in SHA1 but unfortunately they were unsalted.
It appears that all of them have been recovered by now. But at least it keeps the hackers busy for a while (a few hours ?).

There is no excuse for poor security like this in 2012.
Again, make sure you don't reuse passwords.

 

[msn]

Mmmm salty passwords.

We noticed the Peru problem pretty quickly because we started getting spam on our registry account.