The EFF need a lesson in security

Please note that all blog posts before 8 April 2007 were automatically imported from LiveJournal.  To see the comments and any LiveJournal-specific extras such as polls and user icons, please find the source posting at http://brianenigma.livejournal.com/2006/08/

Sometimes I get email from the EFF about things to take action on — bills about to be passed, etc. I went to http://action.eff.org today so that I could automatically send some notes off against whatever Senator Stevens (“the internet is a series of tubes“) is now trying to do. While you can manually type in your name and address each time you go there, I have a login so that my info is populated when I arrive and I can send everything with one mouse click. Because I recently switched browsers (Safari to Firefox), it didn’t automatically remember me, so I had to log in. But what was my password? Well, I went through the whole “forgot password” process and checked my email.

And there it was. My password was right there in the email:

Someone (probably you) asked for your password to be e-mailed to you.
This message has been sent only to the e-mail address you registered
with. If you didn’t request this, someone may be trying to gain access
to your account; please notify us at {email address}.

Note that passwords are case-sensitive and must be entered exactly as
they appear below. If you cut and paste from this message, be sure
that you are not pasting additional spaces into the password field.

User Name: {my email}
Your Password: {my password}

Go back to the Electronic Frontier Foundation: http://www.eff.org/

Go to the following link to change your password: {very long link}

So you would think that someone like the EFF, who is very much into security and privacy, would know enough to not store plaintext passwords in their database, right? I guess not. At the very least, you would expect them to assign a new password and send it to you in email rather than echoing your current password.

Posted in: Dear Diary

Leave a Reply

Your email address will not be published.