When it comes to websites with bad password policies, there’s no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they’re better covered by Twitter accounts like this one.
But recently, I saw a site policy so bad I couldn’t stay quiet. It’s Greyhound.com, a site that among other things lets people book bus travel and redeem rewards for past trips. The site allows passwords as short as four characters—including 1234. And when a user forgets a password, Greyhound.com will send the plaintext of the PIN or password in e-mail, an indication that the site isn’t using any sort of cryptographic hashing to protect user passwords in the event that Greyhound’s database is ever breached.
Worst of all: Greyhound.com provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Greyhound.com. Her response: