When the email arrived I was horrified! The email contained my actual password! That means that Marvel was storing my password on their end! The horror! Now I'll admit that I use a different password for every site I log into (I'm not joking). I actually use a pass phrase, when I can. So I'm sure if their database was compromised I'd have been safe. But, storing passwords is an incredibly bad idea. Even if they're encrypted. If the hacker has compromised your network, they'll likely find your encryption keys too.
There are already volumes written about why storing passwords is bad. There are tons of stories of passwords stolen. And there are lots and lots of articles on what you should do to authenticate users with a password and how you should be storing password hashes.
I just wanted to vent my geek rage and link a few key articles for anyone that reads this to read and ponder, most of them by Jeff Atwood, who seems to have a hot button for this issue.
More from Mr. Atwood on the matter:
- The Dirty Truth About Web Passwords
- OpenID: Does The World Really Need Yet Another Username and Password?
- You're Probably Storing Passwords Incorrectly
(Image copyright Marvel)