Archive for April 2011
In May 2009 I published a blog post entitled Whatever happened to Live Clipboard? where I asked what had become of Microsoft’s Live Clipboard incubation project. This is how I described Live Clipboard back then:
In other words, it is copy and paste for the web.
[Learn more about Live Clipboard at http://www.liveclipboard.org/]
Nothing has been heard of Live Clipboard since then which I find eminently disappointing however today I saw an article by John Cook entitled Ex-Microsoft and Yahoo research guru Gary Flake starts stealthy Clipboard. This is interesting because Gary Flake was the head of Microsoft’s Live Labs which is where, I believe, Live Clipboard came from. Now Flake has a startup called “Clipboard” – does that sound like more than a healthy coincidence to you? it does to me! I wonder whether Live Clipboard is going to make a triumphant return…I hope so!
Yesterday I attempted to login to www.justgiving.com and discovered that I had forgotten my password. They have a “Forgotten your password” link which I used and was startled to find that they emailed me my actual password rather than emailing a link with which I could reset the password. This is BAD – it means they are storing passwords in clear text and are wide open to the type of hack that hit Gawker recently. I emailed them with the following remarks:
I have just discovered that JustGiving.com stores user passwords in plain text in your database. I have no wish to be registered with an organisation that is so lackadaisical with their users’ security and hence I wish for my membership to be ceased and all my details removed from your database.
Please could you let me know when this has been done.
Thanks in advance
Today I received this reply:
Thank you for your message about our emails and how we can improve the way we communicate passwords to our users.
Please note that the way we store card details is completely secure. We comply with Payment Card Industry standards, which means that a JustGiving login (email address and password) is not enough to make a donation. Card details aren’t visible in full to our account holders and we don’t store card security codes.
We send out login details and password reminders in clear to account holders as do several other major websites. However, as you have rightly pointed out, this may be a cause for concern for users and we’re looking at how best to address it.
We’re always working to improve our communication to users and welcome any suggestions you may have for us.
I have deactivated your account as requested. Please get back in touch if you’d like it re-activated at any time.
(emphasis is mine)
I’m disturbed that they think storing payment card details in an encrypted format is sufficient for protecting their user’s personal details and likewise I don’t like that their justification for putting their users at risk is “other websites do it”. On the plus side they have deactivated my account and said they are looking into a better way of storing passwords in the future. I replied with the following:
Thank you for your reply.
You note that card details are stored in an encrypted format but clearly passwords are not. Here is a case study of another company that stored passwords in a similar way and was later hacked: http://www.computing.co.uk/ctg/news/1931991/gawker-passwords-hacked. I find it rather strange that you try to justify this by effectively saying “other people do it”.
Nevertheless I appreciate your response and action on my behalf. Please can you confirm that all my details have been removed from your database – simply deactivating the account is not sufficient.
I will update this post if I get a reply!