send you your password in plaintext even if you don’t want it

Update: I have received a few emails back from Prospects. The first was an automated message providing me with a username and password to log in to their service desk, the irony of which wasn’t lost on me.

I’ve then received confirmation that my account will be closed within 48 hours, and then I had a further email from David Sherwin, who is the Web Traffic and Communication Manager at Prospects:

Hi David

Thanks for your email.

We are investigating the issues you have raised.

We have taken steps to deal with your immediate concerns.


David Sherwin

The email was CC’d to 6 other people within Prospects, which suggests they are taking my issues seriously, which I am pleased about.

Original post follows:

Today Prospects – ‘the UKs official graduate careers website’ – decided to remind me by email that I still have an account with them. Just in case I had forgotten, they included my password in plaintext, which means either they are storing it in plaintext or they are encrypting it in a reversible manner (just as bad, I guess).

I have contacted them about this, and also emailed them asking them to delete my account as there doesn’t seem to be a way of doing it online.

The horrors don’t stop there though. If you visit their ‘Change my password’ page not only is communication not over SSL but for some ridiculous reason they embed your password as a value in the ‘Your existing password’ field even though it’s hidden. Someone actually made a conscious decision to do this. I would love to know why.

I don’t think I’ve ever seen something quite so stupid on the Internet.

This entry was posted in Blog. Bookmark the permalink.