And it’s the time I cleanup my inbox and get shocked at seeing a mail from Bharatmatrimony reminding me to login often for them to serve me better(?). Here’s snapshot of their mail.
Again I try another attempt on ‘Forget password’ , they send passwords for all accounts with the same email id. OMG! Opos! Goosh!
So you’re storing my password in plain text format in your server systems? OMG! Unexpected totally.
From your about us , it is clear that you are now able to read 20000000+ member’s password directly from the year 1997 onwards, roughly 15+ years.
BharatMatrimony.com is celebrated as the Most Trusted Matrimony Brand combining tradition and technology. A network of 15 regional portals and over 2 Crore members, BharatMatrimony has found a place in the Limca Book of Records for facilitating a record number of marriages. BharatMatrimony has been recognised as the Best Matrimony Website 2007 by PC WORLD for technology and performance and is also listed in the NASSCOM’s Top 100 IT Innovators. All the awards we have won have encouraged us and we stand as the most preferred site for matrimonial search according to a study by JuxtConsult.“
What kind of your records on Limca book and certification over ISO 9001:2008 matters to the people , if you’re still sending all our passwords in plain text mails?
Please Consim & Team at Bharatmatrimony, get your people trained on protecting user’s personal info.
Please go on reading the OWASP’s rules on storing passwords in server.
“Passwords are secrets that only the account owner should know. For the system that uses these passwords to authenticate its users, there is no reason to decrypt them under any circumstances. It is crucial that passwords are stored in a way that allows them to be verified but not reversed in any way, even by insiders.”
And please encrypt our passwords with stronger hash in future.
Bharatmatrimony & Consim, I hope you’ll block your (database)administrators to look into our passwords in future.