I want you to close your eyes and Imagine the chaos that would be caused if, in a single hack, millions of passwords to sites like Yahoo and LinkedIn were compromised.
Now, open your eyes and forget imagining it. It actually happened. Yahoo lost 45,000 passwords and LinkedIn lost 6.5 million, and are even being sued over it. What’s more, it looks like JetBlue could be next because of a practice that is so far below the line of security industry standards that it borders on being just plain stupid.
According to a widely circulated article on BusinessInsider.com, some JetBlue customers caught the company sending their password information back to them in plain text inside the body of the email. This means that anyone who can intercept that email will have all your account information, including your credit card number, at their fingertips.
BusinessInsider.com reported the following:
Users have found the airline stores their passwords as plain, unprotected text. Worse, it emails the plain text passwords back to users, and emails can be easily compromised.
“Um, @JetBlue emailed me login info to something called their “TravelBank” to manage unused credit. It included my password in cleartext,” venture capitalist David Pakman tweeted yesterday.
The issue Pakman reported isn’t new either. Last August, another JetBlue user, Vijay Pandurangan, wrote about a similar incident.
Pandurangan says JetBlue sent him an automated email reply when he refunded a plane ticket. The email was from TravelBank and it contained both his plaintext password and account number.
“The fact that they have not even followed basic security procedures is really scary,’ he writes. “Since many people use the same password all over the place, this is especially dangerous — having a very complex password may prevent hackers from figuring out your password from a hash, but is useless if they’re stored as plain text.”
Okay, let’s be clear about this. Passwords should never be stored by either the site or the user in plain text in any file. If the site does it, it opens up all their user passwords to any employee who has access to that database.
Moreover, you should never use the same password for multiple sites, because if it is hacked on one site, it means that ALL your online profiles could be compromised. Imagine someone getting into your PayPal account and switching banks on you, and then draining all the money from your PayPal balance. You’d be hard-pressed to get that money back.
So, secure your passwords. Don’t store them on your computer. If you’re afraid of forgetting them, store them on a piece of paper in your safe deposit box. It might be a minor inconvenience, but it’s a lot less convenient than waking up in the morning and finding your credit card charged to the hilt or your bank account empty.