Hey Lifehacker, In a time where our online data needs to be more secure than ever, how do companies still get away with storing our passwords in plain text? More specifically, how do we lobby for a standard and secure way for Australian companies to store our passwords? I believe the UK Data Protection Act covers such things over there.
Recently I forgot my Telstra password, and when requesting the password it was sent in plain text to my phone, which makes me assume that it is stored in those systems in plain text. Can anything be done about this? Thanks, That's Just Plain Dumb
Picture: Getty Images
Firstly: just because you've been sent this particular password in a text message, that doesn't mean that it was stored in an insecure fashion. It could have been retrieved from a secure database to generate the message. Text messages themselves aren't particularly secure — you can optionally add encryption to some devices but that only works for incoming messages if the sender uses the same system. However, because people generally keep a close hold on their phones (and the sensible people use passcodes as well), then sending texts for password retrieval (and two-factor codes) is widely accepted. Either way, how messages are transmitted is a distinct issue from how passwords are stored.
To your broader point: while it might be desirable for minimum standards for data security to be introduced across all industries, to be blunt I wouldn't hold your breath — the current federal government seems much keener on cutting out existing regulations than on adding new ones. That doesn't mean you can't write to your local member expressing your concern, but it seems unlikely that much is going to happen. You arguably have more leverage with individual companies — a data breach resulting from a lack of secure storage is a major PR blunder, and highlighting that fact might scare some providers into improving their approach.
Incidentally, the UK Data Protection Act doesn't mandate any specific requirements for how information is protected, in part because it's intentionally broad — it covers data stored in non-electronic form as well — and in part so it isn't tied to a particular technology. The Information Commisioner's Office (which oversees the law) definitely advises against plain text storage of passwords, however.
Got your own question you want to put to Lifehacker? Send it using our contact form.