What to do about websites that store plain text passwords

There isn't really much you can do, other than contact the website and try and explain them how bad of an idea and practice it is to store (and email) passwords in plain text.

One thing you can do is report any offending site to plaintextoffenders.com - a site (currently a tumblr blog, but we're working on a proper site soon) which lists different "plain text offenders" - sites that email you your own password, thus exposing the fact they either store it in plain text, or using a reversible encryption, which is just as bad.

With everything that's happened with Sony, again and again, people become more aware to the dangers of sites storing sensitive details unencrypted, yet many still aren't. There are over 300 sites reported, with more reports coming every day!

Hopefully, plaintextoffenders.com helps by exposing more and more sites. Once this gets enough attention on twitter or other social media, sometimes sites change their way, and fix the problem! For example, Smashing Magazine and Pingdom have recently changed the way they deal with passwords, and no longer store nor email the passwords in plain text!

The problem is awareness, and I hope that we help the cause with plaintextoffenders.


Storing a password in plaintext is not really an issue -- at least, much less so than sending the said password in a plaintext email !

This email just proves that the web site administrators are not very careful with the information you entrust them with, and that's a good reason not to entrust them with any more data.


Use a different password for each site. That way, when the password is compromised (whether by snooping on plaintext email transmissions, or even if a database with properly hashed/salted passwords is cracked), the attacker will only be able to access your account on that one site, rather than on all sites on which you have similar account credentials.

...and so you don't have to remember a zillion passwords: Stanford's PwdHash is a handy browser extension that automatically generates unique passwords by hashing a common password you enter with the site's domain.