---------------------------------------- Plaintext passwords May 12th, 2020 ---------------------------------------- A recent set of exchanges on the fediverse reminded me that there's still plenty of poorly run websites and institutions who are still storing user credentials in plain text. Yes, unencrypted plain text. I remember the horror in my heart back in 2008 when I was trying to learn about virtual credit cards from my bank (a cool idea which went away for no good reason). I was on the phone and the customer service representative asked me for the 3rd and 5th letter in my password to verify my identity. Did it hit you too? Did that little pit in your stomach open up like it did for me? How could this person know a specific character in my password? Needless to say, the conversation I had with the bank that day quickly changed. I wish that was the only time I had the experience, but it happened a second time in the same year in a conversation with Fidelity, who ran my 401k at my job at the time. In that case I was stuck. I couldn't choose to move my 401k to another provider. Thanks America. Anyway, there's a ton of these places including a downright scary number of banks (looking at you Tesco). I figured gopher needed some place to reference the list of shame, so I made one [0] over in my Experiments section. There's a link over there to the master list managed in github as well. If you have others to add, make a PR and help shame them. (TXT) [0] List of sites storing passwords in plain text