Enlarge / This is what Greyhound.com e-mails you when you forget your password.
When it comes to websites with bad password policies, there’s no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they’re better covered by Twitter accounts like this one.
But recently, I saw a site policy so bad I couldn’t stay quiet. It’s Greyhound.com, a site that among other things lets people book bus travel and redeem rewards for past trips. The site allows passwords as short as four characters—including 1234. And when a user forgets a password, Greyhound.com will send the plaintext of the PIN or password in e-mail, an indication that the site isn’t using any sort of cryptographic hashing to protect user passwords in the event that Greyhound’s database is ever breached.
Worst of all: Greyhound.com provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Greyhound.com. Her response: