Is it secure to store passwords with 2 way encryption?

No, this is not a good practice. There are two distinct problems.

  • encrypting the password instead of hashing it is a bad idea and is borderline storing plain text passwords. The whole idea of slow hash functions is to thwart the exfiltration of the user database. Typically, an attacker that already has access to the database can be expected to also have access to the encryption key if the web application has access to it.

    Thus, this is borderline plaintext; I almost voted to close this as a duplicate of this question, because this is almost the same and the linked answer applies almost directly, especially the bit about plaintext offenders; there is another answer about plaintext offenders as well.

  • sending the plain text password via plain text email is a bad idea. They could argue that there is no difference when no password reuse happens, but I doubt they would even know what that is and why it’s considered bad practice. Also, password reuse is so common that that wouldn’t be a good answer.

Additionally, as they seem to be working on the second part (even though password reset links in plain text emails are in the same ballpark, i.e. a threat that can read the password from the plain text mail can also read the link, maybe before you can), you could explain them the problem about not hashing from my answer, also feel free to link this answer directly.

Maybe even explain that encryption is one way, but can always be reversed by the inverse function of the crypto system in question, aptly named decryption. Using terms like "one way encryption" and "two way encryption" rather than "hashing" and "encryption" shows a lack of understanding.

The real problem is: them implementing a password reset does not mean they will hash (correctly) in the future; there is not much you can do about this except using a password manager and create a long, strong passphrase that is unique for this site and hope for the best.

This is especially true since they seem to want to keep the part of their system that tells staff your password (for absolutely no good reason). The implication being they keep not hashing properly - them saying staff can only see the password in that three login timeframe is not true; if the web app can access the key, so can the administrative staff. Maybe no longer the customer support staff but they shouldn’t be able to see it in the first place. That is horrifically bad design.

Depending on your location, schools as being part of the public sector have obligations to have a CISO you can contact directly, expressing your concerns. And as usual in the public sector, there ought to be an organization that is supervising the school; they should have a CISO at least, who might be quite interested in this proceeding.


Everyone is focusing on the encryption vs. hashing but, while that is bad in itself, I find the following more egregious:

For support reasons, the parent password is visible to certain staff until the parent has successfully signed in 3 times.

You should interpret this as "the IT staff knows my password". They openly admitted that certain members of their staff can know your password. This is beyond bad. I'm assuming this counter is reset after you change your password, so using a dummy password three times and then changing it to a 'real' password won't do anything. Don't put anything on that platform that you don't want publicly known, and if you used the same password on other sites, change them.


No, as you correctly surmised, this behavior is clearly not secure.

What you can and should do is not trust their system. Don't use a password on the school system that is anything like your banking or other passwords. Don't put in any more information than is absolutely required to get your child through school. If your child brings home a note that says to "log in and update your info", don't put in anything you are uncomfortable revealing.

At least their "in the future" scenario sounds like they are implementing the behavior they need in order to support securely hashed passwords; whether or not they will actually securely hash the passwords (after three logins) instead of encrypting them will be a different question. And you won't be able to answer that question by observation. If you are still concerned, you could contact the software vendor and ask them how it works.