Thursday, November 30, 2006

NewsGator: Why?

I was playing around with different news readers/aggregators when I remembered that I have an existing NewsGator account that I set up a while back. So I went to the NewsGator site and tried to login but I forgot my password. Like most sites, NewsGator has a "Forgot your password?" link. Using that function sent me this email:


From:support@newsgator.com
To:[My Email Address here]
Subject: NewsGator Online credentials
Date: Thu, 30 Nov 2006 19:04:09 -0700
As you requested online, we are sending your NewsGator
Online credentials to you. They are as follows:

Username: [My Username was here]
Password: [My unencrypted password was here]

Customer Support
NewsGator Technologies

Huh?

If this was a password reset or new account creation, that would have been acceptable -- as long as I am then required to change it the next time I log on. But what they sent me is a password that I created months ago.

This could only mean that in NewsGator's servers, my password is stored either in unencrypted format, or if it is encrypted, it is reversible. I know that a lot of smaller sites do this... but NewsGator? What happened to one-way encryption?

Comments? Good, bad, tolerable, unacceptable?

No comments: