That's nothing. My BANK does the same thing. Granted, they do make you change the password immediately afterwards. But still.
They also had a bug where if you had a special character in your password it wouldn't appear in the email they sent you. I pointed this out to the IT person. They fixed the bug... by prohibiting special characters in passwords.
I used to use a bank with a similar bug. It would send you a new password (in plain text) but any special characters would be shown in unicode. So even though the password might be:
So it's not Marvels responsibility to keep people's passwords safe because,
1.) If someone was trying to get the person's information, the least of their worries is an easy password to for them to get? This may be the dumbest thing I've ever heard.
2.) Anyone who uses the same password for multiple accounts shouldn't do that? Yea. Saying that doesn't fix the issue. You have to tell users to use secure passwords and assume they won't. Because they won't.
3.) Because it only protects their comics from being read? That's still private property that Marvel claims to protect by requiring passwords to gain access. The fact that they treat security like it doesn't matter shouldn't be dismissed with a "so what?".
>So it demonstrates that the passwords are not hashed.
They could still be stored hashed in the front-facing system that handles the logins, etc, but kept non-hashed in another database that is just used as an API endpoint to get the restore emails.
Second, and I think more significantly, they've still got a database of plain-text passwords sitting around. The fact that they might have some systems in which they are stored hashed is kind of irrelevant.
They also had a bug where if you had a special character in your password it wouldn't appear in the email they sent you. I pointed this out to the IT person. They fixed the bug... by prohibiting special characters in passwords.
I need a new bank...