Passwords In The Clear

One time I went to reset my password for my local bank account (a long time ago). When I received the password reset email, I was shocked. SHOCKED. Why?

My password was sent to me in plain text!

Now, there are several things wrong here, but can you point to what the most egregious one is?

If you think it was because the password was in plain-text, well, although that's really bad, that's not all of it.

When your actual password is sent to you, that means your password is not stored securely at all. It's not hashed in a reversible algorithm, but in fact being stored in a database somewhere.

As a concerned security citizen I emailed the bank asking for the security person responsible.

Here's where it gets interesting... the security person in charge insisted that the security of this process was OK!

We went back and forth, but they did not budge.

I still have the emails. :)