Should companies that store passwords in plaintext be held accountable when they are compromised? Recently I needed to reset my login for www.msy.com.au for their online store. I knew what email address I had used, my generic junk one with hotmail, but what the hell did I set my username & password too? Normally I just hope for the best and head instore.
After clicking Forgot Username/Password I was absolutely amazed to receive an email with my username and password that I had set.
www.msy.com.au store all passwords in plaintext! To be honest after asking around work, no one was really shocked to find out that their passwords with MSY are in plaintext, however with news report after news report showing that people frequently select the same username and password for almost all sites, this could hurt individuals.
MSY are currently developing an online ordering delivery system. As a complete rewrite is likely to be off the cards, what guarantee can MSY provide to myself and everyone else that their home address, phone numbers, CC details etc are stored securely when password management appears to complex?
So I pose the question, if MSY is compromised (I hope they never are) should they be held responsible for exposing plaintext passwords of their userbase and any other details?