Plain text password sent in emails!!

[magda.stremeski_497840]

Hi,

I wanted to say how unhappy I am that the website sends login credentials in plain text via email. First of all, email is NOT a secure medium, and many servers read the contents of the email on the way to my inbox (it's like sending me my password on a postcard. Anyone that holds it can read it). Passwords should never be sent in plain text and it's really unnecessary to do so. Anyone who loses their password should just reset it.

Secondly, the fact that my password and updated password were sent to me in plain text suggests that login details aren't hashed or stored securely on your servers. This puts my details at risk if a hacking event were to happen (and since high profile companies like Sony and Adobe can get hacked, so can this website).

At best, the details are being hashed after they're emailed out, but this really isn't good enough. It's not secure enough. There have been so many public instances of websites being hacked and their user details leaked. Since people often use the same email address and password across multiple sites, this practice is leaving your users exposed to hacking across other sites on the Internet.

I know it's not something that can be fixed immediately, but please PLEASE make a pledge to fix your login system and make our details more secure. It makes me worried about the security of our billing details too, if you can't make a simple login secure enough.

[team.relationships]

Hi Magda

Thank you for your feedback. Please be informed that we addressing the issue.

Sincerely
Piotr
Team JapanesePod101.com

[b0rkb0rk]

I just entered this forum to start a thread on the exact same issue and noticed this post. It's been a month now since the original post, and you are still using insecure methods to store and send login details (as evidenced by the 'welcome' email I just received after upgrading my free account to basic.

This is unacceptable for a commercial website running in 2014.

Please address this as a priority. You owe this to your paying customers.

[b0rkb0rk]

Folks, it's been over two weeks since my post, and three and a half months since the original post of this thread. Are you people even reading these forums?

Please have the decency to reply so we know you are reading these posts, at the very least.

[LinusVE]

Like b0rkb0rk, I also came to the forum to make a thread about this issue.

This is a major security risk that will cause damage to your customers in the event of a hack.
If JapanesePod101 would get hacked, the hackers will also be able to access the primary email accounts of many of your customers, if they happen to be using the same password for that.

Please confirm that you are still working on this issue and that it has priority.

I would also strongly suggest everyone to use/create a unique password for JapanesePod101 and not use this password anywhere else.

[adelholtz_499460]

I dont believe passwords are safed in plain text in their database...
You guys do know that there do exist encryption methods like for example aes that allow a 256 bit encryption that can be decrypted when you have the encryption key?

And btw the aforementioned aes method is way more safe than using md5 or sha1.
I do not approve sending out passwords in plain text, but for different reasons than you guys i guess.

[LinusVE]

Whatever is done on the security in the backend is currently meaningless, because passwords are still being sent out in plain text. We both agree on that and this should be fixed as soon as possible.

Md5 and sha1 are indeed not safe anymore, but secure and modern alternatives exist.
I am no expert on security, but to my knowledge it is unconventional that passwords are stored in any recoverable form in databases nowadays. Therefore it suprised me that japanesepod101 was even able to send passwords by email. I just automatically assumed that they must therefore be stored as plain text, but I might've been wrong on that.

[b0rkb0rk]

It has now been over five months since this issue has been raised, and so far we have had only one single reply from JP101 staff on this thread.

I'm giving it one more week. If there is no official response after this, I will request the closure of my account and a refund of my payment, and I encourage all other users concerned with this issue (and lack of response from the staff) to do the same.

[team.relationships]

Hi

Please be informed that we are addressing the issue.

Sincerely
Piotr
Team JapanesePod101.com

[b0rkb0rk]

Piotr, you told us the exact same thing almost 5 months ago on March 18th and nothing seems to have been done so far. To make matters worse, you once again emailed my login details to me in clear-text, apparently under the mistaken impression that I was having trouble logging in (which is clearly not the case).

Please give us details of the steps you're taking to address the issue.

[derpda]

This needs to be addressed as the passwords are still sent in plain text.
Also, for some reason, I was just logged out of my account and could not log back in with the password saved in my browser, i.e. there is no way it was wrong. I reset my PW and it works again, but these issues might be connected and I must say, I feel like my data is not safe with you guys.

The lack of response is another factor here. I expect a lot more as a paying customer.