Passwords emailed in plaintext

3 posts / 0 new
Last post
pellis
Passwords emailed in plaintext

It seems that you email passwords in plaintext to people when forgotten. This indicates that you are not properly protecting passwords (salted and hashed as per industry standards) as stored by your user management system. This is not secure and risks exposing user information on your site and others, especially with reused passwords. What are you plans to adopt modern password security to protect your users?

paul
Thank You

Thanks for bringing this to our attention.  We will be working to address this as soon as possibe.   

paul
Security Changes Implemented

We performed a security review of our Administrator password management as a result of this critique of our practice of emailing forgotten passwords in plain text.  This was a convenience feature that had been scheduled to be changed and we advanced its priority as a result of this customer feedback.  Aside from this specific situation when a password was requested to be emailed to the account on file, we store and transmit all sensitive information in an encrypted format. While we have found no breach in security or violation of our PCI compliance due to this practice, we take the security and privacy of your volunteer information very seriously and have made changes to Ivolunteer.com as a result.

The major change that Administrators will notice is the “Forgot My Password” feature will now email a temporary password that must be used within a short period of time.  Upon logging in with this temporary password the Administrator will be prompted to create a new password.  We believe this solution offers the best mix of security (confirming to industry standard practice) and convenience for Ivolunteer.com Administrators.

As always, we welcome customer feedback of our practices as this helps to make Ivolunteer.com better for everyone.  Please let us know if you have questions involving these changes.

Paul