When should I submit my website to the plaintextoffenders?
Do I need to submit my website to the plaintextoffenders?
I read the prologue from the official website that had the following description - Plain Text Offenders is an online platform that names and shames sites following insecure practices in protecting client passwords. It regularly posts user-submitted images of password reset emails from companies that exhibit a complete lack of regard for customer password security.
To quote a FAQ:
Aren’t you worried hackers will use your site to find targets?
- Yes, but less worried than having this information remain secret and relying on Security Through Obscurity.
- To be more verbose: There are two possible outcomes from submitting a site to the plaintextoffenders:
- They fix it - This is more likely to happen when they get publicly shamed. The attack probability increases, too.
- Also, hiding security problems away (leaving it secure only as long as it is kept secret) rather than fixing them is generally considered a security antipattern, as the NIST "Guide to General Server Security" states:
- "System security should not depend on the secrecy of the implementation or its components."
- They do not fix it - Then it is at least documented publicly and externally.
- To be more specific, thanks to Chris Cirefice who pointed out it the comments more explicitly what I had in mind:
"documented publicly and externally" - with timestamps. So if a student loan company is hacked and the students' bank details are released due to lack of compliance with (U.S.) government policies, e.g. the Gramm-Leach-Bliley Act 1 2, the students could sue the company, and the timestamps of public release of failure to comply would be great evidence in court for recompense.