On pizza and passwords

13 November 2009 On pizza and passwords

Having been trying to lose weight for the past nine months, pizza isn't something I've ordered a great deal of late, but whilst trying to use the "Dominos Pizza website":http://dominos.co.uk today I was quite discover that they appear to be storing their passwords in plain-text. I couldn't remember my account password so I promptly followed the "Forgot your password?" link. I entered my email address and answered a security question - pretty standard stuff - and hey presto: "Your password has been emailed to you". What? How and why would you do that? Surely you've been "salting and hashing":http://en.wikipedia.org/wiki/Password_cracking#Salting my password when storing it in the database. And why would you send it unencrypted via email? But that's exactly what happened. No temporary password. No unique reset password link. Just my password in all it's plain-text glory. It's baffling that they could make such an amateurish mistake. I guess there is an outside chance that they are storing passwords using some kind of public key encryption (which I doubt) but they still sent it to me via email in plain-text anyway. Thank goodness they don't store my credit/debit card details too! My initial reaction was to delete my account but they don't appear to offer any way of doing this. So I've had to settle for firing off an email to "concerns@dominos.co.uk":mailto:concerns@dominos.co.uk with my complaint and hope they take any notice. If I hear back, I'll post an update. It makes me wonder how many other high-profile sites out there could be storing passwords in plain-text. Because "it's not like security breaches ever happen":http://search.bbc.co.uk/search?tab=all&q=online%20database%20breach&start=2&uri=%2F&scope=all&go=toolbar, is it?