If a "forgot your password?" page emails your old password, is that definitive proof that they have stored it in plain text?

If a "forgot your password?" page emails your old password, is that definitive proof that they have stored it in plain text? When a site emails your old password, as opposed to requiring you to reset it on the site, I'm wondering what that implies about their security measures.
Asked by: Guest \| Views: 290

Total answers/comments: 2

Comments display order:

Guest [Entry]

"They might be using encryption when the password is stored in the DB but they shouldn't be storing it in a retrievable format at all, encrypted or otherwise.

They should be taking a one-way hash of the password (plus a salt). This means they can check the password you enter now matches the one you gave before but they (or some cracker with access to their DB) cannot find out what it is. Encrypting the password means a cracker would have to find the DB and the encryption key, but since the key must be on the server serving the website this is hardly inconceivable.

So if they can send you your password this means they are not following well known security best practices.

Bad practice like this is a good reason for using a different password for every website you register at."

Guest [Entry]

As Dave said, they could and hopefully are using encryption, but I have seen sites that store passwords in plain text. They could also generate a new temporary password when you hit the I forgot my password button, that you have to change the first time you login with it. The bottom line is you don't know how they store your password and unless the site is hosted by the same company that you get support from, and they only have a few people it is unlikely that you would be able to ask anyone that would know how it is stored, and even if they did know it is unlikely they would tell you.