Skip navigation

Several weeks ago, I got on the train and sat down. The seat was a lot less comfortable than it should have been, so I reached down, and lo! I found a folder containing some very sensitive information, that appeared to belong to a government employee in training.

A few days ago, I was registering with the NYT, and was denied the option of using my regular (rather heavily obfuscated) password by a foolish password policy:

Password can only contain letters a-z, numbers 0-9, periods ., underscores _, and hyphens -.

Now that’s bad enough, and this subject has been discussed at length by others, so I sent them an email regarding this. This was what I got as a reply (note that I’ve masked some parts):

Thank you for contacting NYTimes.com.

To help you get immediate access to our Web site, we have reset your password.

Please log in with the following information:
Member ID:
paulucy

Password:
************
Please go directly to the following Web address (URL) to sign out of
NYTimes.com :

http://www.nytimes.com/signout

Then click on the link to “log in”.

On the page that follows, look at the right part of your screen for
the section marked “Log In Now”
(please make sure that you do not register again )
and enter your Member ID and Password as shown above.

Please note that your browser must accept cookies from NYTimes .com in
order to go beyond the log-in screen.

And remember to click on the Log In button to submit your request.

Also, we suggest that you immediately select a new password in the
Your Profile area of our Member Center at:
http://www.nytimes.com/profile

While you are on this page, please take a moment and select a Secret
Question & Answer, if you haven’t already. This will make retrieving
your password easier in the future.

We recommend that you write down your log in information.

Regards,
Pam White
NYTimes.com
Customer Service
http://www.nytimes.com/help

That’s right, they responded to a query about the limitations of the password system by giving me the password of another user. It wasn’t only completely useless to me, but it violated someone else’s privacy and security.

In both cases I have done my best to get the issues corrected, beginning with informing the people affected by the lapse.

Security is hard to do, and people make mistakes. Maybe I’ve just been very lucky in being the person discovering these leaks, rather than being the victim of them, but who knows? Is everyone as nice as me when they find stuff like this?

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: