I had tried to register for Elite yesterday, and the servers were being funny, so I wasn't sure if I'd registered. I just now tried to reset my password, and I got the following:
Hello Josh
Forgot your password? These things happen. Access your account with the password below:
{Actual Unencrypted Password}
Really? They're storing hundreds of thousands of passwords in plain text??
EDIT: Not sure what the downvotes are for, surely it's not because huge companies like Steam and Sony never get hacked, and their user base leaked...
Further EDIT: Perhaps I seemed too snarky, and I apologize for that. The problem here is that if this store of user information is compromised, then your precious data, specifically your login credentials are either poorly, or not at all protected. If you're like most people, you keep a common password between various sites. It's wrong, but prevalent. So, getting into CoD:Elite, means they're getting into a lot of other places, if they do. I don't really care about Karma (hence, the self post, rather than a link to a screenshot of the email), but this is something you should be concerned about.
Anyone with more than novice programming knowledge knows passwords should be hashed in one way or another, not stored 'unlockable'.
MASSIVE EDIT, FOR THE NON-TECHIES:
Here is the problem. The password is retrievable. That's really it. This sole fact means that the password is either stored as plaintext, like 'Hunter1' -> 'Hunter1', or encrypted, which implies that unencryption is possible. Consider the 'caesar shift cipher'. This is a technique of shifting the characters in a sequence by X amount. So if we shift our password to the right by one, 'Hunter1' becomes, say, 'Ivoufs2'. That is, H + 1 = I, etc.
We can now unencrypt this by applying the reverse shift. Which means that yes the password is 'harder', but it is by no means more secure.
The only acceptable way of storing a password is by a process called hashing. This is a one way process. What this means is that 'Hunter1' -> HASH_FUNC -> '1234SDLFKj!!#$%'. The math is tricky, but basically every time you hash a string, you are guaranteed to get the same hash back. So if you store the hash, you can verify the password is correct, indirectly. If the database is compromised, no problem. Other than collisions, your hash is super safe.
Which means that a forgot password email should have either a) a temp pass, or b) a link to reset the pass off of a security question.
While this is all fine and dandy, the real, real big problem is that lots of people use the same password for multiple things. So getting your Elite password may mean your email password too, and then they can do a forgot pass on your bank site to get a new password, and now no more money.
This is probably the number one thing to not do when you're creating a website, period. Your users must be protected from themselves.
And, to top it all off, they're sending the password in plaintext in an email, which is in no way a secure method of delivery.
And this is (should be) a big deal to YOU, because this is YOUR data!
