Don’t see my password! Please…

And it’s the time I cleanup my inbox and get shocked at seeing a mail from Bharatmatrimony reminding me to login often for them to serve me better(?). Here’s snapshot of their mail.

Login details carrying passwords in plain text

Login details carrying passwords in plain text

Again I try another attempt on ‘Forget password’ , they send passwords for all accounts with the same email id. OMG! Opos! Goosh!

Accounts with password in plain text in mail

Accounts with password in plain text in mail

So you’re storing my password in plain text format in your server systems? OMG! Unexpected totally.

From your about us , it is clear that you are now able to read 20000000+ member’s password directly from the year 1997 onwards, roughly 15+ years.

BharatMatrimony.com

BharatMatrimony.com is celebrated as the Most Trusted Matrimony Brand combining tradition and technology. A network of 15 regional portals and over 2 Crore members, BharatMatrimony has found a place in the Limca Book of Records for facilitating a record number of marriages. BharatMatrimony has been recognised as the Best Matrimony Website 2007 by PC WORLD for technology and performance and is also listed in the NASSCOM’s Top 100 IT Innovators. All the awards we have won have encouraged us and we stand as the most preferred site for matrimonial search according to a study by JuxtConsult.

Come-on , Bharatmatrimony. I never ever expect this from you.You’re matured well. Don’t see my password.I thought you’re standardized in terms of user privacy and industry level customer information protection.

What kind of your records on Limca book and certification over ISO 9001:2008 matters to the people , if you’re still sending all our passwords in plain text mails?

Please Consim & Team at Bharatmatrimony, get your people trained on protecting user’s personal info.

Please go on reading the OWASP’s rules on storing passwords in server.

“Passwords are secrets that only the account owner should know. For the system that uses these passwords to authenticate its users, there is no reason to decrypt them under any circumstances. It is crucial that passwords are stored in a way that allows them to be verified but not reversed in any way, even by insiders.”

And please encrypt our passwords with stronger hash in future.

Bharatmatrimony & Consim, I hope you’ll block your (database)administrators to look into our passwords in future.

Any thoughts?

This entry was posted in linux, technology and tagged , , , , , , . Bookmark the permalink.

2 Responses to Don’t see my password! Please…

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 1 = five