Today I received via snail mail my annual season ticket holder renewal for the Washington Capitals. As also seems to be traditional, my PIN (really a password) was included on the invoice. This makes it easier for people to renew online without having to get their password reset.
Passwords provide authentication. That is to say, they are used to prove who you are to the computer. As such they should be kept secret lest someone else could perform actions as you.
Since the Caps can print my password on my paper invoice, they must have the password stored in clear text in their password file. If someone were to compromise their computers, either through hacking or internal misuse, they would have access to my password without any additional work. Storing passwords in plaintext or in an easily bruteforced hash indicates a lack of due care. In the past year there have been many incidents where online companies were compromised and the password database posted to the internet (Gawker, plenty-of-fish). Password should be stored securely by the web provider.
By writing down my password for me, in putting it on the invoice, they have now exposed the password to anyone else opening my mail. I must protect this invoice like a password safe or destroy it. I normally keep these invoices around to watch the ticket cost skyrocket.
The main reason this is a security problem and not just bad form is user behavior. Users tend to have one password for most sites where they are not required to change the password. My email address is on the invoice. Want to place any bets on whether that password will get you into my mailbox? Once in the mailbox you can often find other passwords or at worst be able compromise other accounts by using password resets which will probably send a one-time URL link to that email box.
As a user, the best defense against this sort of thing is to use different passwords for every account. If nothing else, never set up an account to use the same password used with the email address associated with the account. Keeping track of these things is hard. That is why I use LastPass. It prompts you to save accounts as you use them. You can run a security test to see which accounts have duplicate passwords.
Even so I would like to see the Washington Capitals commit to storing passwords securely so they can’t send passwords in clear text. If they don’t, I wouldn’t be surprised if in a few years the ticket renewal packages will be electronic. Sending the password in plaintext via email will be that much worse.