An Open Letter to USA Cycling and its Members:

On March 18, 2016, USA Cycling (USAC) notified its membership that a security breach had taken place and that some personal information had been compromised. The goal of this letter is to highlight numerous ways in which USAC failed and continues failing to protect its members personal information and implement standard web security practices.

Following the breach, USAC informed its members that sensitive information, including name, mailing address, email address, date of birth, and emergency contact information had been compromised. In that same email, USAC advised that, “if your USA Cycling password is used in other accounts, you change your password in those other accounts immediately”. As an IT professional, I understood this to mean that USAC did not take any steps to encrypt or otherwise secure its members passwords — that those passwords were stored in the USAC database exactly as we would enter them when logging in; an incredibly insecure decision.

This suspicion was later confirmed by an individual within USAC:

Subsequently, USAC directed all of its members to set new passwords. The following is a screenshot of the original email from USAC, with the specific instructions to reset your password highlighted:

USAC failed again in its communication to members by not clearly stating that the link to reset your password 1) can only be used once; and 2) is a unique link only for the recipient of the email. This oversight had real consequences as users copied and pasted the link to share across social media sites, advising their teammates and friends on how to reset their passwords.

Well-intentioned members sharing their private password reset links

When clicking on the password reset link, members are taken to a page to set their new password. Here’s what it looked like when I clicked the link:

USAC’s password reset page

After filling in my desired password, retyping it, and hitting “Next Step,” I was asked to set a security question before finishing the process.

I tried logging in, only to be told my username and password were wrong. Multiple attempts using my license number and the password I had just set and confirmed all failed. Clicking the “Forgot Password” link tells you to email USAC:

Having emailed USAC and received a new link, I went through the process of resetting my password again, meticulously typing in the exact same password every single time, and again being unable to log in.

I exchanged more emails with USAC before finally receiving the following:

Nowhere on the password reset page are we told about any password requirements other than, “must be at least 8 characters long.” Surely if I had entered a password that didn’t fit the guidelines, I would have been told that my password was invalid? USAC’s website wouldn’t accept a password that it knew was “bad,” right? I replied to USAC and asked.

Oh.

Wrong. USAC’s website is not only incapable of communicating to members that passwords must be:

At least 8 characters

But no more than 15 characters

Containing only letters and numbers

The website will also allow you to submit an invalid password, leading to the situation I experienced in which you continuously try logging in with a password you know is what you put on the reset form, yet confusingly doesn’t work.

Furthermore, and most alarmingly, these draconian restrictions are evidence that USAC is still not encrypting its members passwords; that USAC is still storing our passwords in plain text. With proper security procedures in place, the content and length of a user’s password have little to no impact on the website’s ability to encrypt and protect our information; whether your password is ten letters or ten thousand letters and symbols, standard security practices of encryption (hashing is the technically more accurate term) can handle it.

The multiple failures of USAC to accurately communicate with members and protect members’ information is appalling. That an organization representing more than 60,000 individuals fails to adhere to the most basic internet security practices (encrypting passwords) is an embarrassment that we, as members, should not tolerate.

With respect,

Brian Cheung