Personal data and security are more important than ever and when a website isn’t taking an interest in user security, it needs to be pointed out. That’s what Dan Goodin of Ars Technica has done in regards to Greyhound.com. Apparently, Goodin used to report frequently on websites with poor password policies but sort of stepped aside to allow other outlets to take care of such things. Goodin decided to come out of retirement for one special website though, Greyhound.com.
Goodin says the bus company’s website password policy allows an astonishing 4 character minimum for passwords. Of course, we know the shorter a password, the easier it is to crack. On top of that, Goodin discovered that if a user forgets their password, Greyhound.com will send them the PIN or password in plaintext via email. Goodin says this is a good indication that the company isn’t using any sort of cryptographic hashing to protect users passwords should there be a data breach.
Worst of all: Greyhound.com provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Greyhound.com. Her response:
“Per your inquiry regarding the website, this is on our roadmap to address, but at no time has a customer’s payment information been compromised when purchasing tickets on our website.”
What Goodin has uncovered here is important for Greyhound.com users to know, thus we’re helping to spread the word. Hopefully, the company will take notice of the Ars Technica story and get to improving their password policies. It is in their best interests to do so.Source: Ars Technica