This is Not Security
I recently received a notice from my kid's after-school care provider that they had setup an online service to check on the bill and update personal information, etc. Well, that's nice — I thought — so I hopped right on setup the account.
At first, some good signs. All the accounts were pre-setup with the registered email and a password was pre-set that was based on some information most people wouldn't have. Not perfect, but better than most.
However, when I tried to login I was mis-generating the password (four digit year instead of two) so I gave up and hit the "Forgot Password" link to setup the account that way.
This, folks, is where I started to get a little concerned.
Yes, that's not only the real password sent over email, but a clever person will pause and say, "Wait, the password is recoverable?"
It would appear so. Passwords are stored in a recoverable way and regularly emailed in plain text to people rather than having a reset system.
That terrifying moment behind me (and knowing that I simply had to use a unique password on this site), I used 1Password's generator to make a good password. Well, there's problem two.
The passwords, which are recoverable, are limited to 10 characters or less. Oh, and there are also no length or complexity requirements. My password could be "x" and be valid.
On the one hand, that does increase the number of possible permutations (something I advocate for) but it also lets idiots be idiots (something I don't advocate for). In any case, the site where my kid's registration information resides is eminently hackable.
I know what you're thinking. Surely, if there's any sense in the world, they at least got the most basic, trivial thing right when it comes to safeguarding personal information on the web? You'd be wrong.
That's right. No SSL. At all.
The only word for this is irresponsible. When they get hacked and my information is out in the world there will be no amount of spin that will give me a moment's pause in putting all the blame completely on their system design, of which every component is in blatant violation of their declared security practices.