I have forgotten my password for my DZone.com account, but lucky me most of this web-sites have a “Forgot password?” link as DZone has. So I clicked the link, entered my username and a second later I got a mail from DZone.
But the content really surprised me. Nowadays you would expect and especially from such big Web 2.0 web sites that password security is one of there top security priorities.
But look at he mail I got:
You or someone on dzone.com has requested a mail containing your password. Username: xxxx Password: here_is_my_password_in_clear_text You can login to dzone.com at: http://www.dzone.com/login.html If you did not request this password email, please disregard it.
They are sending you the current password in clear text!!!
So what does that mean? It has to be stored in clear text or in a reversible crypted version on there system too! Have they every heard that you never ever store a password that way?!?! You always store it with a non-reversible crypto algorithm, so that if the data gets stolen or if somebody brakes into there system, he is not able to get the clear text passwords of there users.
Because with that information and the e-mail address, it’s most time quite easy to hack a lot of other accounts of that user! Most people don’t use different passwords for there different accounts.
I’m really surprised that such a big web-site has such a security flaw…
So you should really consider what password you are using on DZone.com…