I just logged into the
Broad Institute's ChemBank database for the first time in a loooong time and I forgot my password. I clicked on the handy "forgot password" link and in about 30 seconds, I received an email that
contained my old password (see pic).
Why is mailing my password problematic? Well, I'm no
web-security expert, but this is a
major-league no-no. It means that ChemBank's passwords are stored in plain-text (or at best a reversible hash, which is a relatively pointless exercise in obfuscation). It also means that any employee (gruntled or disgruntled) with access to ChemBank's database can likely view a treasure-trove of user passwords that are linked to big-pharma and biotech accounts. And any
intruder who gains access to ChemBank's database will unearth that same treasure-trove.
And like everyone else on the planet those big-pharma and biotech users probably employ the same password for several accounts. Therefore, being able to access ChemBank's database likely provides a mechanism for black-hats and ne'er-do-wells to establish beachheads for industrial malfeasance.
The way that it
should be done is passwords should be stored as
salted 1-way hashes, thereby making it more difficult for the bad guys to figure out everyone's password if they ever
do break into your server.
This is also why most reputable websites will NEVER email your password to you when you've forgotten it. Rather, they email you a link that lets you re-set your password. Why don't they mail your password to you? Because if it's properly encrypted, then
even they don't know what it is.