91
« on: September 25, 2014, 01:50:44 AM »
There is no conceivable reason for any site to send you your password in plaintext. It doesn't matter how they are storing it, the fact that they send-out your password indicates that they don't know a lot about security. If you only use a PayPal account for checkout it probably doesn't matter that much to you, because they don't see your credit card/bank account info. However, I would never type credit card info into their site. If they follow good security practices then they should never actually store your credit card info, but emailing passwords in plain text is sort of an indicator, right?
As Godzillian said, they could be storing passwords in plain text or with two-way encryption. Two-way encryption isn't quite as safe, as that means if they get hacked, bad guys possibly could decrypt the passwords (lots of detailed factors are involved that indicate how hard this would be). Normal practice is to 'salt' and hash the password. The salt add protection from a dictionary attack if the password database is stolen.
Bottom line is better safe than sorry. I've had my credit card info stolen from what used to be my favorite goody store. Its a pain in the butt, as you're vulnerable to both the hassle of replacing your card and also identity theft, which means dealing with credit bureaus so bad guys can't go to town on your ass.
/bama