ISACA - Do as I say, not as I do

Updated on 12/17/2008:

ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.

My reply to ISACA's
The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).

This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.
Original post:

In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like ISACA.org not follow that advice with their own web site.

1 comment:

lespea said...

Thank you!

This is pretty sad when ISACA, of all groups, can't manage to implement password storage correctly. It's not like it's a challenging problem with no real solutions.

Even having the option of your password mailed to you is horrible.

Why, ISACA, why!