If you forget your password to a website and your ‘forgot password’ request is answered with your password being emailed to you, there’s a problem there. Your password should at least be hashed with one-way encryption and stored in the database securely. Even though it’s convenient, it’s very bad security. As was exhibited by several database breaches recently, even hashed passwords are only a matter of time to solve with rainbow tables of known password-hash matches. It’s bad practice for users to use the same password across multiple web services but it is equally a responsibility of web service providers to secure the information they are entrusted with.
If you are looking for a little name-and-shame, you can visit Plain Text Offenders. The site collects screenshots of web services that send out your credentials in the clear. If it’s done at registration, it might not mean the database holds unhashed passwords but you better hope your email never gets broken into if it stores the keys to the kingdom. In addition, sending out your email across the wire in the clear cannot provide much assurance that it wasn’t picked up somewhere along the way. If the site sends your password to you on a password reset request instead of a reset link, then you should definitely have concerns.
Concerned enough? You can search PlainTextOffenders.com before you sign up for a new service to see if they have been listed as using bad practices with passwords.
A Google Chrome extension called Password Fail will automatically tell you if the site you are visiting has been registered as storing passwords in plain text. However, I’m not sure if the extension and associated site list is kept up-to-date.
Do you use any other resources to keep your accounts secure and avoid companies that implement bad practices?