💻 Software
If a "forgot your password?" page emails your old password, is that definitive proof that they have stored it in plain text?
Fresh7 days ago
Mar 15, 2026522 viewsConfidence Score0%
0%
Problem
When a site emails your old password, as opposed to requiring you to reset it on the site, I'm wondering what that implies about their security measures. Does this mean that they store the password in plain text for their own convenience or could they still use encryption on the password?
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Canonical Fix
Unverified Fix
New Fix – Awaiting Verification
Fix for: If a "forgot your password?" page emails your old password, is that definitive proof that they have stored it in plain text?
Low Risk
They might be using encryption when the password is stored in the DB but they shouldn't be storing it in a retrievable format at all, encrypted or otherwise. They should be taking a one-way hash of the password (plus a salt). This means they can che…
Awaiting Verification
Be the first to verify this fix
Sign in to verify this fix