6 comments

[ 3.0 ms ] story [ 30.1 ms ] thread
Marcaria.com stores them in plaintext, too.

I told them about it multiple times.

"We'll have our engineers look into it" -- Two Days Later -- "This ticket has been closed."

Yup. That's usually the way. These guys kept assuring me my password was 'extremely safe, secure and backed up by industry standard.' Then I pointed out what the industry standard actually was and they've since stopped replying.
Is there a service where, given a domain name, you can get an assessment of previous security problems, or potential ones?

Many cities have restaurant inspections, so why not this?

Or even better, a PBKDF2/bcrypt/scrypt certification.

Something like "Site X has been verified to to be using per-user salts using scrypt at 200ms and 1MB memory."

That's a brilliant idea. Having a database of this kind of thing would be really helpful.
Storing in plaintext != recoverable password (not hashed)