On the 17th August, a Twitter user made this worrying observation about their password reset:

What’s just happened here is that Virgin Media have confirmed that they store their passwords in plaintext (or, at least, reversible encryption, which is the next worst thing, and is just as frowned upon). It’s not just terrible security practice, it’s also pretty much the textbook example of what you don’t do when you’re storing passwords. It’s exactly the what I did when I was 12 and writing LAMP stack social media websites, and didn’t know any better about security or best practices.

Even more laughable than that is the support guy’s response. I’d like to give them the benefit of the doubt — they are, after all, just someone who’s main job is to deal with angry customers, so they can hardly be expected to know about security best practices.

However, the response is so dumb. It’s the equivalent of saying that ‘our databases are secure, because hacking them is illegal’. In fact, it reminds me a bit of this:

Come on guys, it’s 2019. Pretty much every other large company stores passwords hashed and salted (although, there is still a shockingly large list of smaller-scale offenders).

To top it off, Virgin Media is a very large company. They serve over four million people in the UK. That’s four million passwords, just waiting to be compromised in the inevitable database breach that every company dreads. But of course there’s no need to worry about that happening, it’s illegal to hack the databases…