My own brush with plaintext passwords

Go read Sean’s plaintext-password story (and followup), because it’s hilarious. I have one of my own.

Years ago, I registered an account with Equifax to get a copy of my credit report. They sent me a confirmation email containing my password, in plaintext. Normally I would have shrugged it off, but this was a. Fucking. Credit. Bureau. The account I had just created contained enough of my personal information to make an entire bad-check-writing Wineman clone army.

So I called them. I explained how they had endangered my privacy and potentially even my personal safety by emailing that password to me in plaintext. Anyone who managed to intercept that email—and who knows how many servers it had passed through or been stored on—could impersonate me, download my credit report, apply for credit in my name, or worse.

The representative calmly replied that I was perfectly safe. Why? Because my password was of no use by itself, and anyone using it would have to guess my username.

What?

That’s right, as long as I kept my username secret, they insisted, it was OK for them to give out my password.

But I made up my password, I said in a tiny incredulous voice, and I carefully chose a secure one. My username is the same as my real name.

Maybe you should have picked a less obvious username, then, they said. No, you can’t change it now. Sorry. Bye.

My desk still has the forehead marks.