Are You A Good Steward With Your Investemnt Dollars?

So you are invested in a major bank or financial institution. No? do you have money in a bank or financial institution? You have done your homework, you are certain you have made a good decision. But have you investigated things for yourself. Is their IT department and are their procedures up to snuff. Want to try a quick test? Do you have an account with them? Good! Lets pretend you forgot your password. So go to their site and go through the lost password procedure. We can wait....

Ok, so did you have to reset your password? If so that's GOOD!. Did they email you your password to you? If so that's BAD! Let me tell you why.

Most secure systems take your password when you set it and do something called hashing. That is applying some sort of algorithm to convert your password into a hash. When you log in later and enter your password they will hash this entry again and if the hashes match, your login is accepted. If the system hashes your password it can not be converted back. So if you forget it they cant email you your password. If however when you sign up and enter your password and they store it in the database as plain text then they can send it to you in an email when you forget it.

Whats wrong with that? Databases get hacked all the time, and when it happens how many customers will be outed? What will happen to your investment when the media starts talking about this? Note I said when, and I mean when. Any organization that makes the poor decision to store passwords as plain text is going to make other stupid security decisions that will eventually lead to a disaster of epic proportions and your investment will suffer of course.

What can you do? Start working your way through the tree to the board or CEO. Demand they fix this shoddy policy immediately.

Why am I writing this? Because a blogger/podcaster to whom I listen on occasion posted recently that just this situation happened. He forgot a password, went through the forgot password process and received his old password in email. Since the financial institution is tied to the company he works for he cant out them. So I am calling on you the financial investor to figure out who the company is and call them to task before they take your money and their customers for a ride into the hole.