Marvel.com emails you forgotten passwords in plaintext
1) Visit https://secure.marvel.com/user/register
2) Set up an account with an email address you own
3) Sign out
4) Visit https://secure.marvel.com/user/login
5) Say you forgot your password
6) Wait
9 comments
[ 3.5 ms ] story [ 25.5 ms ] threadThey also had a bug where if you had a special character in your password it wouldn't appear in the email they sent you. I pointed this out to the IT person. They fixed the bug... by prohibiting special characters in passwords.
I need a new bank...
1) People are listening to your IMAP/POP traffic? Then you got worse problems to face: scumbags out to get you.
2) You use the same password in another, more serious account? You shouldn't.
3) You seriously worry someone will hack into your Marvell account? And do what, read your comics?
They could still be stored hashed in the front-facing system that handles the logins, etc, but kept non-hashed in another database that is just used as an API endpoint to get the restore emails.
Second, and I think more significantly, they've still got a database of plain-text passwords sitting around. The fact that they might have some systems in which they are stored hashed is kind of irrelevant.
1.) If someone was trying to get the person's information, the least of their worries is an easy password to for them to get? This may be the dumbest thing I've ever heard.
2.) Anyone who uses the same password for multiple accounts shouldn't do that? Yea. Saying that doesn't fix the issue. You have to tell users to use secure passwords and assume they won't. Because they won't.
3.) Because it only protects their comics from being read? That's still private property that Marvel claims to protect by requiring passwords to gain access. The fact that they treat security like it doesn't matter shouldn't be dismissed with a "so what?".