About

A website storing a password in plain text means that your password is there, waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password. It’s just there.

Whether it’s someone hacking into their servers, using a simple flaw in their site or even stealing their backups, over 30% of sites store plain text passwords.

We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put websites we believe to be practicing this to shame.

Found a text offender? Anonymously submit it to us and put it to shame!

Are you a developer? You can read a technical introduction to what you can do and then read about the two algorithms you should choose from. An alternative to all the hard work would be to completely delegate authentication using standard secure protocols like OpenID Connect (with implementations by many big names) and just get rid of the whole headache entirely.

Just want to help? Find a site you know and contact them with the post. We’re always looking to add sites to the list of reformed offenders!

More reading? Here’s why even just sending the password via email without storing it in plain text is bad. Here’s why limiting the kinds of passwords you can use is also a bad idea.

Created by @hmemcpy and @omervk.

Photo by Michael Reidel cc-by

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

Short URL for this post: http://tmblr.co/Zy4yby
blog comments powered by Disqus