I was perusing www.americanmusical.com the past couple days looking for a new instrument as I have done many times in the past. AMS is top-notch when it comes to customer support, shipping, quality, price, the whole nine yards. However when I tried to log in I realized I forgot my password. To my dismay, they knew it- how convenient.

“An email containing the password will be sent out shortly”… that says it all now doesn’t it. Guys, are you kidding me? Sure enough:

There’s my password in an unencrypted email.

Now luckily there isn’t anything too important in there (like banking information and such), but someone would be able to get all of my order history, contact information, etc. That’s somewhat of a privacy concern to me.

Always save a hashed version of the password. This fixes two things: there’s only one person that should know what it is - the user. If they forget it then they need to reset it. Second, when emailing the user, they get emailed a temporary link used to reset their password to something of their liking. There is nothing of use in the email going forward.

This explains their perception on passwords completely:

Sorry guys, I love ya, but this is rediculous.