Ordered some bits'n'bobs today I found going cheap at PCWorld. I'd clearly registered before as my email was 'in use' but I'd forgotten my pcworld password, so I clicked the box and they sent me a new machine-generated one by simple email. I was a bit surprised at the absence of any kind of security as, in my view, that email put the new password at risk. So I immediately logged in using the new password, and changed it to one of my liking, restoring security.
A few minutes later I got another email, confirming I'd changed my password, and confirming my newly chosen password in plain text. It's a password that I use on various other shopping sites too. An email can be likened to an open postcard, in as much as an awful lot of people can get to read it before you do, so I will now need to change that password on all sites.
But it seems my PCWorld account is permanently vulnerable, as whatever I set the password to will immediately be bounced back in an unencrypted email, making the new password immediately insecure as well. Is it just me, or does anybody else get the feeling that many of the big corporates really don't have the slightest idea when it comes to on-line security?
I suppose I ought to complain but, let's face it, I reckon they're unlikely to understand...
