On pizza and passwords

View all recent articles by Luke Redpath

13 November 2009 On pizza and passwords

Having been trying to lose weight for the past nine months, pizza isn’t something I’ve ordered a great deal of late, but whilst trying to use the Dominos Pizza website today I was quite discover that they appear to be storing their passwords in plain-text.

I couldn’t remember my account password so I promptly followed the “Forgot your password?” link. I entered my email address and answered a security question – pretty standard stuff – and hey presto: “Your password has been emailed to you”.

What? How and why would you do that? Surely you’ve been salting and hashing my password when storing it in the database. And why would you send it unencrypted via email?

But that’s exactly what happened. No temporary password. No unique reset password link. Just my password in all it’s plain-text glory.

It’s baffling that they could make such an amateurish mistake. I guess there is an outside chance that they are storing passwords using some kind of public key encryption (which I doubt) but they still sent it to me via email in plain-text anyway. Thank goodness they don’t store my credit/debit card details too!

My initial reaction was to delete my account but they don’t appear to offer any way of doing this. So I’ve had to settle for firing off an email to concerns@dominos.co.uk with my complaint and hope they take any notice. If I hear back, I’ll post an update.

It makes me wonder how many other high-profile sites out there could be storing passwords in plain-text. Because it’s not like security breaches ever happen, is it?