TrendMicro sends passwords in plain text - that's security
I just subscribed to the online account and got this:
Dear Alex Sxxxxxx,
Thank you for registering Worry-Free Business Security Services for Dell. Your account will be activated immediately.
Account Information Service Name: Worry-Free Business Security Services for Dell Activation Code: WF-HMWA---------------------
Logon Information User Name: syrnick Password: PASSWORD IN PLAIN TEXT Validity: 455 days (2/7/2011 - 5/7/2012) Product/Service Console: https://wfbs-svc.trendmicro.com/dell/
With password in plain text that makes me worry - what do they know about security? What about Basic Authentication, the default authentication protocol for web pages. Credentials are passed encoded as base-64, hardly better than plain text in the open. What would you propose as a better solution? Is there a difference in the level security you would want for a site like TrendMicro and the level of security you would want for your Bank Account? Yes, sending credentials in plain-text is bad. I would be more worried about your password being stored in plain text. That data is just sitting there...waiting. defended by super 1337 TrendMicro security! Since this password was sent in plain text at signup-time, there's a chance that it was still hashed/encrypted before being stored. Not a good chance, given the fact that they thought it was ok to send it in plain text at all, but still a chance. They are not the only ones. Many websites do this. Not only with signing up, but also with "forgot password" too.