18 December 2012
Don't email me my password (or store it in plaintext)
Of late, I’ve gotten pretty into chess. I never played much as a kid, but a couple months ago my friends started playing and I joined in. I’m not very good (even for a beginner), so I’ve decided to read and practice to get a little better.
At the suggestion of a friend, I decided to join the Internet Chess Club, so I could play some games online and hone my skills. I went to the site, registered, verified my email, and got the following email in my inbox:
Thank you for signing up for the ONE-MONTH FREE trial on the Internet Chess Club, the most active chess club in the world with over 50,000,000 games played every year!
Your username is: **********
Your password is: **********
You have completed the first step! Next, DOWNLOAD and install the our software from the link below. (ICC is available for Windows, Mac, Linux, iOS, Android, etc.)
Go to: http://www.chessclub.com/download-software
Follow the instructions to download and install. Then enter your username and password, and then click on the “Connect” button and you’ll connect to our playing site.
Once your FREE TRIAL is over, you can renew. https://store.chessclub.com/memberships We offer reduced membership prices starting as low as $9.95!
Or else, simply let your account expire and NO CHARGES will be made.
If you have any questions about the ICC or your account, please email us at email@example.com. Thank you for using the Internet Chess Club! See you online!
Web: http://www.chessclub.com email: firstname.lastname@example.org phone: 1 (412) 521 5553
Yes, they sent me an email with my password in plaintext (I *****’d it out)–what the fuck. Not only that, but the fact that they can send me my password in plaintext means that they are storing it in plaintext.
Obviously, you don’t need the highest level of security for your chess account, but in this modern day and age it is unacceptable to store passwords (and email them) in plaintext. Not only can that chess account be used to make purchases and access confidential information like your billing address, but if a hacker cracks their server, they have a huge set of plaintext passwords corresponding to user’s emails–most people use only 1 or 2 passwords for all of their accounts, so this is a pretty big deal.
I promptly changed my password and deleted my account. You should too if you’re a member of the ICC.
Oh, and if you hate passwords as much as I do, you should check out Clef, the startup I’m working on that is getting rid of usernames and passwords and replacing them with your mobile phone.