I recently used a government service that I had an account for from years ago. I couldn't remember my password for the service so I used the "forgot password" link and was astonished to see that this government website sent my password to my email address in plain text.
I'm personally aware of how to handle user passwords, and I sent some comments about my concerns through a feedback form (this is a government website. People use other online gov. services which deal with sensitive information, as well as the fact that most people use the same password or handful of passwords for everything (I know I do) and I suspect the same security practices are used throughout) which I got a prompt response for. They simply reassured me that "the Ministry has taken the necessary steps to protect password information, including storing them with the proper encryptions in place."
I'd like to just say "well obviously you haven't taken the necessary steps if you're able to email my password to me" but I'm not trying to be rude, and I don't think my message would ever reach somebody who knows what I mean anyway.
So I'd like to just state that "the necessary steps haven't been taken according to [some official security standard]" which might prompt someone to look into it. I did a quick search on OWASP but only found an article regarding plaintext storage.
Is there a security standard regarding user password handling out there which prohibits (as I think it probably would) storage of retrievable password information? Even better: is there such a standard which must be followed by websites dealing with sensitive information such as banks and government web services?
I know I probably won't change anything but it's worth a shot IMO.
Best Answer
Well, the epic thread https://stackoverflow.com/questions/2283937/how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retriev certainly has a lot to say about the issue.
Potentially relevant to your interests: