halcyon1234
Dormant account
- Joined
- Apr 20, 2007
- Location
- Ontario
It's been a long time since I've done any online gambling, though I still get daily spam from every casino I ever signed up with. No worries, it gets junked and ignored. Except for today. For some reason, the email from GoldenPalace caught my eye, and I opened it.
Subject line is: Your account has been restored. Presumably accounts that haven't been logged into for a long time get deactivated, and this is their way of trying to nudge me back into logging on. Again, no problem so far. But then I read the email a bit more carefully, and it says "Find your account information below: username: <my old userID> password: <my ACTUAL plaintext password>."
So they're sending out sensitive information in plaintext in an email, which is disturbing enough. BUT this also means from a technical standpoint, they are storing passwords insecurely. They aren't hashing the passwords. Passwords should NEVER be retrievable. This is a massive, MASSIVE security blunder. For those who know, you know, for those who don't-- you know when you hear about "so and so website had x million passwords stolen from them". This is why. If their database is ever compromised, not only will the attacker have your password to this site, but can then try out that password on your email-- on your other casinos-- on your payment account-- etc.
This is as egregious as a car manufacture forgetting to put seatbelts in a car.
Like I said, I haven't done any casinoing in a long time. My password back then isn't my password now (specifically because it had been compromised in other similar incidents). But I thought I'd post this as food for thought for anyone picking a casino, and taking the company's security practices into account when deciding if you should trust them with your money or not.
Subject line is: Your account has been restored. Presumably accounts that haven't been logged into for a long time get deactivated, and this is their way of trying to nudge me back into logging on. Again, no problem so far. But then I read the email a bit more carefully, and it says "Find your account information below: username: <my old userID> password: <my ACTUAL plaintext password>."
So they're sending out sensitive information in plaintext in an email, which is disturbing enough. BUT this also means from a technical standpoint, they are storing passwords insecurely. They aren't hashing the passwords. Passwords should NEVER be retrievable. This is a massive, MASSIVE security blunder. For those who know, you know, for those who don't-- you know when you hear about "so and so website had x million passwords stolen from them". This is why. If their database is ever compromised, not only will the attacker have your password to this site, but can then try out that password on your email-- on your other casinos-- on your payment account-- etc.
This is as egregious as a car manufacture forgetting to put seatbelts in a car.
Like I said, I haven't done any casinoing in a long time. My password back then isn't my password now (specifically because it had been compromised in other similar incidents). But I thought I'd post this as food for thought for anyone picking a casino, and taking the company's security practices into account when deciding if you should trust them with your money or not.
