When using a password for a website, it is important to not re-use that password elsewhere. The reason behind this practice is that if your password is guessed on one website, it’ll be able to be re-used elsewhere. The second reason, is if the website gets hacked and they aren’t hashing your password, then hackers could use that password on other sites with no effort.
Tonight, I wanted to register a new baby car seat on Britax.com. I did so, but was then intrigued at the concept of making a user account on the site. Figuring this would be a good way to keep track of all the products I’ve registered with them, and double check there aren’t any recalls. So, I went ahead and did such. I use LastPass to create 50 character passwords for all sites that will allow it, and did so on Britax.com. Upon login, what did I see?
Yes, that is my CLEAR TEXT password (with a grey bar over it). That is VERY BAD, it means that Britax does NOT hash the passwords. This means that anyone with access to their website (hackers, SUPPORT STAFF, site admins, customer service) can see my password. A malicious or disgruntled customer service employee could take my username, email, address, and password and sell them or use them without my consent.
Oh but wait, it gets worse!!! Remember that time I mentioned using a 50 character password? Right, I did here. With the grey privacy block over the password, you’re unable to count, but they actually shortened my password down to 24 characters. SO I can login with my original, 50, character password, or just the 24 character version. Britax has deliberately shortened, and made my password more insecure. Thanks. Hopefully their child seats are better than their website security.